MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49f9c9e79441d891f84d5a457fed44897f95f8f691b387fcab2e63ec9a505667. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	49f9c9e79441d891f84d5a457fed44897f95f8f691b387fcab2e63ec9a505667
SHA3-384 hash:	16dc73e84a6bc7e32f11b03af858c1dfd3eb5304a697a01d9eb0bb5c1dcc46ac351ecac4115e3f80d01631fffd4890ea
SHA1 hash:	23fab65c7a63a623c18af99586a71ed8de764eff
MD5 hash:	c7d877867aa385c37a48f2e9d39ca206
humanhash:	alanine-william-rugby-washington
File name:	FedEx's AWB#5305323204643.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	552'960 bytes
First seen:	2020-10-01 13:36:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:kqca8Eup3sw9DQm2d+6BXF6NT3JZi0Dgt+TmxJvS6E7:rcaLKD0d+6BXF6Nr7gQaxJvSp7
Threatray	268 similar samples on MalwareBazaar
TLSH	94C4016DF298BE5BCA7C8BFC8499040957B49112598BFBC5CCC2B8FA17903D12E4AD47
Reporter	James_inthe_box
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/67407/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending a custom TCP request

Connection attempt

Enabling autorun by creating a file

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/479359

Signature

Connects to a pastebin service (likely for C&C)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49f9c9e79441d891f84d5a457fed44897f95f8f691b387fcab2e63ec9a505667/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2020-10-01 05:30:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

37 of 48 (77.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jh44tz4uihmjd6cnljcx73kerf7zl6hwsgzyp7flfzr6zgsqkztq._file

Verdict:

malicious

Label(s):

asyncrat

Result

Malware family:

asyncrat

Score:

10/10

Tags:

rat family:asyncrat

Link:

https://tria.ge/reports/201001-6dyexpkcjx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Async RAT payload

AsyncRat

Unpacked files

SH256 hash:

49f9c9e79441d891f84d5a457fed44897f95f8f691b387fcab2e63ec9a505667

MD5 hash:

c7d877867aa385c37a48f2e9d39ca206

SHA1 hash:

23fab65c7a63a623c18af99586a71ed8de764eff

Link:

https://www.unpac.me/results/99e8330a-3a2d-43cc-9d82-6da12bdb3268/

SH256 hash:

7048985917a7aa6b21f8f33a014076c805107a8b0a6eec1d0d979087db4c9b27

MD5 hash:

346d494f0029156c9cb7c94616b38980

SHA1 hash:

35cc1551e62c8bb7eace152371b03fa60b142fc8

Link:

https://www.unpac.me/results/99e8330a-3a2d-43cc-9d82-6da12bdb3268/

SH256 hash:

e0f1f79b7a1e0479c53c843a8ea203ecd06904c0e62c6caea57e1e18b633fc26

MD5 hash:

5b55ea896a010fc6fc2153f8d024fdef

SHA1 hash:

9b53617683dbafa76a71a0ed64e8d12caa0f79af

Link:

https://www.unpac.me/results/99e8330a-3a2d-43cc-9d82-6da12bdb3268/

SH256 hash:

37658ad82e6f7b5f0f5bc52ffd93700bebd37038fdeb0d4b7d64772bfea2dba3

MD5 hash:

910d72a80d7a6a8a2e2cd60a2193ab57

SHA1 hash:

e9e2661183d00ca5c98680af494f7ca38c0b8f74

Link:

https://www.unpac.me/results/99e8330a-3a2d-43cc-9d82-6da12bdb3268/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/49f9c9e79441d891f84d5a457fed44897f95f8f691b387fcab2e63ec9a505667

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/67407/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample