MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fe55684ef64ad80c3994eb961d1008585121b9708546ad0a1fd87141619555d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fe55684ef64ad80c3994eb961d1008585121b9708546ad0a1fd87141619555d
SHA3-384 hash: 10539f2909caaec2e44538e27bf42b58425ec206368ae90c49de3c317e015c1350dfb0f1e2ff1cd1ee2773373f5bde79
SHA1 hash: f079be3d9355ba22db82e9d06f022ba68f284c31
MD5 hash: 9646cb8f86411e94d022d1472c527c11
humanhash: thirteen-neptune-yellow-six
File name:19112020778IMG78487784.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:297'984 bytes
First seen:2020-11-19 08:20:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:64bAYWUyrngIhj0KNk8bRIu8n+BiV+d1O+7KT2shtLJZ9F:adtNhG5VaV7C2w39
Threatray 466 similar samples on MalwareBazaar
TLSH 49548C502169DF37E57DC3FA8382E6F057BE7A364804D2A54CC622DB6524FC4CAB1A87
Reporter abuse_ch
Tags:AsyncRAT exe nVpn Outlook RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: EUR06-AM7-obe.outbound.protection.outlook.com
Sending IP: 40.92.16.86
From: EDEN LABO <edenlabo@hotmail.com>
Subject: TR: 回复: PROFORMA INVOICE 200102-003: REV QUOTATION 191231-003 RE: 回复: 回复: TOP TOP URGENT
Attachment: 19112020778IMG78487784.xz (contains "19112020778IMG78487784.exe")

AsyncRAT C2:
194.5.97.249:9951

Hosted on nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.97.0 - 194.5.97.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-UK5
country: GB
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
mnt-by: PRIVACYFIRST-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-26T17:48:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader35.54721.26395.9956.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/542488
Signature
Drops PE files to the startup folder
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320356 Sample: 19112020778IMG78487784.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 80 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AsyncRAT 2->41 43 3 other signatures 2->43 9 19112020778IMG78487784.exe 3 2->9         started        11 19112020778IMG78487784.exe 2 2->11         started        process3 process4 13 cmd.exe 1 9->13         started        16 19112020778IMG78487784.exe 11->16         started        signatures5 47 Suspicious powershell command line found 13->47 18 powershell.exe 19 13->18         started        20 conhost.exe 13->20         started        22 timeout.exe 1 13->22         started        process6 process7 24 19112020778IMG78487784.exe 3 18->24         started        27 wscript.exe 18->27         started        file8 33 C:\Users\...\19112020778IMG78487784.exe.log, ASCII 24->33 dropped 30 19112020778IMG78487784.exe 1 2 24->30         started        45 Drops PE files to the startup folder 27->45 signatures9 process10 dnsIp11 35 194.5.97.249, 49760, 9951 DANILENKODE Netherlands 30->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fe55684ef64ad80c3994eb961d1008585121b9708546ad0a1fd87141619555d/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 03:07:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7svnbhpmswybq4zj24wduiaqwcreg4xbbkgvufb7wdrifqzkvoq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0e7c56b00281e18e385042a28f0e6202fbe39f3cdb219d17489799fca09b6550
AsyncRAT
0eeb561ea16bf80e301847add0363445976f5ab518d23e499cbf1f7ce9e6fc59
AsyncRAT
137b5dc137f3f0c5bc3d4e1cd1f2396b33bd5b87291f72013a98b319c130b451
AsyncRAT
37965f22c013912043bab3cb214f8219ba54e3c3570132985fc37be5a9e4ba49
AsyncRAT
5515739bd8752264b7ee2a2c9b957d36af9fb16b19d7dd1aef4139f2fe74af47
AsyncRAT
5e21f7f70d7f4328f3d27e4b040ead9ffa6bab8f91dbb1fb9cb211058a4ea961
AsyncRAT
9b471c2935fdd01c7e9d57e78f91d213e6d1b5a44ac1719048d92d02d1976422
AsyncRAT
abf3559102f105717f176c7929b5994a35686be15d37fb91d19d885f79cc1310
AsyncRAT
b05af3b65673a21e658075117c050ce9ebdf47634b64e354a6abf241fc8e8a9e
AsyncRAT
f019485de1ca48a37011e7df076b8e7105e928d4b2695caa1a6780a2a30f45cb
AsyncRAT
+ 456 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/201119-3dm5ezt3c6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Async RAT payload
Beds Protector Packer
AsyncRat
Malware Config
C2 Extraction:
194.5.97.249:9951
Unpacked files
SH256 hash:
4fe55684ef64ad80c3994eb961d1008585121b9708546ad0a1fd87141619555d
MD5 hash:
9646cb8f86411e94d022d1472c527c11
SHA1 hash:
f079be3d9355ba22db82e9d06f022ba68f284c31
Link:
https://www.unpac.me/results/29d5b9e9-11af-4228-a593-4636d9d4247e/
SH256 hash:
d5f66c0fde97ed183d774093174f7e27ae6d30846fe6f075e98b79df445aff72
MD5 hash:
7057bc859e3b4869d3ed2966046ac516
SHA1 hash:
1743a7f960dcea1e68d3cb1fbed1ab33f4d5a7d0
Link:
https://www.unpac.me/results/29d5b9e9-11af-4228-a593-4636d9d4247e/
SH256 hash:
53ab5659fdc920982001a764d035228b609248443409fdcb5007ed881c03501c
MD5 hash:
60a779602e84c70835cda4315c3b062e
SHA1 hash:
645633958b5960f9ce2af8bf28af613dfe05de7f
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/29d5b9e9-11af-4228-a593-4636d9d4247e/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4fe55684ef64/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

xz 64ed6346638c08c2a79a5b450ebabbcc0627dc22a13f4da9483174e71b8b819e

AsyncRAT

Executable exe 4fe55684ef64ad80c3994eb961d1008585121b9708546ad0a1fd87141619555d

(this sample)

  
Dropped by
MD5 efae83e2bdfc62bbaf09f1caf1d4c471
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 64ed6346638c08c2a79a5b450ebabbcc0627dc22a13f4da9483174e71b8b819e

Comments