MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c
SHA3-384 hash: 8d3e35b48ee2e28a84a8214fd7a2a70923292f78fef401864f88cb2deed297dbf727e36c13eb07e85829b0269c5dac63
SHA1 hash: 22648c79fb790e4a044fd73dbea16e2cb11a5125
MD5 hash: 3e7ac2eeab57aa2dcfb94e28c6e0c41c
humanhash: happy-blossom-lemon-oranges
File name:3e7ac2eeab57aa2dcfb94e28c6e0c41c.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:381'952 bytes
First seen:2021-05-29 12:10:21 UTC
Last seen:2021-05-29 12:47:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:aac4xgguKsperRxE8ql2aTM0uBQ7ZesC3rbmqts:0YgguPIRCncM14rbmqt
Threatray 266 similar samples on MalwareBazaar
TLSH 9A84644CA9743A5BC60018F8FA63C5057A63EFD32BD9E1C69754B687D0712F8EE084E9
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
93.115.21.128:8808

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
93.115.21.128:8808 https://threatfox.abuse.ch/ioc/66772/

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e7ac2eeab57aa2dcfb94e28c6e0c41c.exe
Verdict:
No threats detected
Analysis date:
2021-05-29 12:13:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1ea35850-5e67-4fd0-9968-e7bf97daa5c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163164/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36914152.16578.1705.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794242
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426638 Sample: 1p037oXV3S.exe Startdate: 29/05/2021 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected AsyncRAT 2->62 64 5 other signatures 2->64 8 1p037oXV3S.exe 4 8 2->8         started        12 Dismd.exe 2->12         started        14 Dismd.exe 2->14         started        process3 file4 40 C:\Users\user\AppData\Roaming\...\Dismd.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 8->42 dropped 44 C:\Users\user\...\Dismd.exe:Zone.Identifier, ASCII 8->44 dropped 46 3 other files (2 malicious) 8->46 dropped 66 Writes to foreign memory regions 8->66 68 Allocates memory in foreign processes 8->68 70 Injects a PE file into a foreign processes 8->70 16 wscript.exe 1 8->16         started        19 RegAsm.exe 15 2 8->19         started        22 AdvancedRun.exe 1 8->22         started        30 2 other processes 8->30 72 Multi AV Scanner detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 24 RegAsm.exe 12->24         started        26 RegAsm.exe 12->26         started        28 RegAsm.exe 14->28         started        signatures5 process6 dnsIp7 54 Wscript starts Powershell (via cmd or directly) 16->54 56 Adds a directory exclusion to Windows Defender 16->56 32 powershell.exe 16->32         started        48 93.115.21.128, 49712, 8808 MVPShttpswwwmvpsnetEU Romania 19->48 50 pastebin.com 104.23.99.190, 443, 49711 CLOUDFLARENETUS United States 19->50 52 192.168.2.1 unknown unknown 22->52 34 AdvancedRun.exe 22->34         started        36 AdvancedRun.exe 30->36         started        signatures8 process9 process10 38 conhost.exe 32->38         started       
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-16 21:46:10 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kf5kjj4yzv4fzlt33fzcxv42b6c6vxd2h2o37iseia2i35hppr6a._file
Verdict:
malicious
Similar samples:
0024c03b214910f21e99a8444a63a33f07ee1fb54aa63a9d88e4cc97e00d0bb7
AsyncRAT
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
AsyncRAT
492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad
AsyncRAT
520fae27134b14bb92d3858083c08496cee8b1c7631f0a374c5e168adfa799f2
AsyncRAT
84858fb9b1e2533886a654de52671d91b9d9d7f77ecc7a883d6f03821376b3c3
AsyncRAT
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
AsyncRAT
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
AsyncRAT
cb6b64368f82e2596852532158f265a5b5d889abfce8d3025f5c8177f3462e33
AsyncRAT
cfd58b76ee10d732160ae05b4cb87e95713ad0ef8b17d77f0bb33b31ac4e6e18
AsyncRAT
e111f6f2fa1deba59df581d3c6ef269c3e3628b2649cb728e30092d8d30e258c
AsyncRAT
+ 256 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/210529-wx1697vzh2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
Nirsoft
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163164/

Comments