MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55b779f35f7ba5b7e409de245f0c6c8c2f7f38292f7d33b42e65f1fe4cbe6ee9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55b779f35f7ba5b7e409de245f0c6c8c2f7f38292f7d33b42e65f1fe4cbe6ee9
SHA3-384 hash: 9e97502d458216a5471862b7b4bb4c43c3fdd52a5812929500569e328fc6d10a8cd337dd4cf69e707feda6024448541b
SHA1 hash: 4c06a1a5471ebdba8669981e9a50de00a09bf120
MD5 hash: e23cff81572101abd02dadc9f6269b6e
humanhash: hot-one-mountain-delaware
File name:CT558801294_504670_03732174347.PDF.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:3'365'888 bytes
First seen:2020-10-14 15:40:22 UTC
Last seen:2020-10-14 17:01:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:///1gNPmRao5h2ytcJEEFuLMR2c0gyOcPaoqmgdbU7qLJPBwHHPIbUWxrlrF:/FgNsaSh2ySEhskcFZqRQbRN
Threatray 1'300 similar samples on MalwareBazaar
TLSH 82F5E10B69C344E4C485AE75A3FD55F812F06BAF1514A7BB220663E4CFA225F350B1EB
Reporter abuse_ch
Tags:AsyncRAT Citibank exe RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: server.doklsa.us
Sending IP: 185.249.197.82
From: trade.sg@citi.com <trade.sg@citi.com>
Subject: Citibank Transaction Notification
Attachment: CT558801294_504670_03732174347.PDF.tbz2 (contains "CT558801294_504670_03732174347.PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.37614.18916.16334.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Creating a process from a recently created file
Running batch commands
Creating a file in the Windows subdirectories
Launching a process
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AsyncRAT MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491361
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298244 Sample: CT558801294_504670_03732174... Startdate: 14/10/2020 Architecture: WINDOWS Score: 100 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 10 other signatures 2->89 11 CT558801294_504670_03732174347.PDF.exe 3 2->11         started        15 scan21.exe 2->15         started        process3 file4 67 C:\Users\user\Pictures\tree3.exe, PE32 11->67 dropped 69 CT558801294_504670...2174347.PDF.exe.log, ASCII 11->69 dropped 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->115 17 cmd.exe 1 11->17         started        19 cmd.exe 1 11->19         started        22 cmd.exe 2 11->22         started        25 cmd.exe 15->25         started        signatures5 process6 file7 27 tree3.exe 1 17->27         started        30 conhost.exe 17->30         started        91 Drops executables to the windows directory (C:\Windows) and starts them 19->91 32 scan21.exe 3 19->32         started        34 conhost.exe 19->34         started        65 C:\Windows\SysWOW64\scan21.exe, PE32 22->65 dropped 36 conhost.exe 22->36         started        38 tree3.exe 25->38         started        40 conhost.exe 25->40         started        signatures8 process9 signatures10 103 Machine Learning detection for dropped file 27->103 105 Writes to foreign memory regions 27->105 107 Allocates memory in foreign processes 27->107 42 mscorsvw.exe 17 27->42         started        109 Antivirus detection for dropped file 32->109 46 InstallUtil.exe 32->46         started        111 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->111 113 Injects a PE file into a foreign processes 38->113 48 mscorsvw.exe 38->48         started        process11 dnsIp12 79 jobskill.scienceontheweb.net 185.176.43.102, 49728, 49734, 80 ZETTA-ASBG Bulgaria 42->79 71 C:\Users\user\AppData\Local\Temp\B.exe, PE32 42->71 dropped 73 C:\Users\user\AppData\Local\Temp\A.exe, PE32 42->73 dropped 75 C:\Users\user\AppData\Local\...\B[1], PE32 42->75 dropped 77 C:\Users\user\AppData\Local\...\A[1], PE32 42->77 dropped 50 cmd.exe 42->50         started        52 cmd.exe 1 42->52         started        81 185.244.30.121, 49735, 49738, 49739 DAVID_CRAIGGG Netherlands 46->81 file13 process14 process15 54 B.exe 50->54         started        57 conhost.exe 50->57         started        59 A.exe 13 52->59         started        61 conhost.exe 52->61         started        signatures16 93 Multi AV Scanner detection for dropped file 54->93 95 Tries to steal Instant Messenger accounts or passwords 54->95 97 Tries to steal Mail credentials (via file access) 54->97 63 WerFault.exe 54->63         started        99 Machine Learning detection for dropped file 59->99 101 Tries to harvest and steal browser information (history, passwords, etc) 59->101 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55b779f35f7ba5b7e409de245f0c6c8c2f7f38292f7d33b42e65f1fe4cbe6ee9/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 01:26:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kw3xt427pos3pzaj3ysf6ddmrqxx6objf56thnbomxy74tf6n3uq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
12859bb50366c248e9488a8852c0923bcb4135f8fcedcbac19228fe329ff39a7
AsyncRAT
17c38ccce635b7567fb09e4e48c53b5661bdd29e827917a447f0de7741694d71
AsyncRAT
25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1
AsyncRAT
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
AsyncRAT
9ce6624dc6af9ed519b91bec5776526a0e06677634483a76ad6861b88adf6c25
AsyncRAT
a4df5e9015f70b47dc4f2e6bae0fbeb9d108979e0cda7ef54aa123a0d33bdf8b
AsyncRAT
bbae735df39c1301901ca97c6993f2b6fd7233a0360761eab8b65f2556df4517
AsyncRAT
c2e6a6a4dcceeb65c2b769b92223c4b5c6de325709146391a4863dd56f4eb3d1
AsyncRAT
c578d33e132ccbbc26a4a31e6054fea7f42591b391e9b8eb30eaf732ed119088
AsyncRAT
e7c0c0108074647bb7a3c9d976c478e3fdbb047a910af9d988057508cec4dd8c
AsyncRAT
+ 1'290 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat spyware family:asyncrat
Link:
https://tria.ge/reports/201014-z4wtem7the/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
ServiceHost packer
AsyncRat
Malware Config
C2 Extraction:
185.244.30.121:7882
Unpacked files
SH256 hash:
55b779f35f7ba5b7e409de245f0c6c8c2f7f38292f7d33b42e65f1fe4cbe6ee9
MD5 hash:
e23cff81572101abd02dadc9f6269b6e
SHA1 hash:
4c06a1a5471ebdba8669981e9a50de00a09bf120
Link:
https://www.unpac.me/results/dcdd2e21-e499-4dee-87c0-e64ee543a341/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/dcdd2e21-e499-4dee-87c0-e64ee543a341/
SH256 hash:
4e76533f08b3f6ff841286bf32be0ed6118cf81ce80c9e863214622fb5e4d3bc
MD5 hash:
7587cc645db8e0cc4fb75c725e6bd1dc
SHA1 hash:
56c6dab33f4b758076daefe6cf945b71ca1ca704
Link:
https://www.unpac.me/results/dcdd2e21-e499-4dee-87c0-e64ee543a341/
SH256 hash:
2193d424f3e233a02161804c9d87185c5ffff2963e69efb522810a8696fc5a2e
MD5 hash:
4228e889825561251c7ff369da9069d5
SHA1 hash:
fc1b2809aa648c4d4c48bad5937db208623f4b55
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/dcdd2e21-e499-4dee-87c0-e64ee543a341/
Parent samples :
c578d33e132ccbbc26a4a31e6054fea7f42591b391e9b8eb30eaf732ed119088
74817ca889247bccdb4d0c98c608d0bf46912a7d1cf00ba43c070f9093326a07
d7448da27fa5cbe7df2df781ef5763cdcbb31f6e99d756a03fb1ff577e7043a2
55b779f35f7ba5b7e409de245f0c6c8c2f7f38292f7d33b42e65f1fe4cbe6ee9
e9fb11df00c7a833b875f7c68fc6d5ee3edeeac7c63d85fc4897f6aef7596f7c
75b28b1c5a969011567d3300a309043511de798a302a2424e0f1d3ad384b29de
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/dcdd2e21-e499-4dee-87c0-e64ee543a341/
SH256 hash:
46d3802acb6c708fcba3fa7b0432b362a06220c078e4a16c89b248022d753e72
MD5 hash:
2706c4174f7f3794cf3428823e8e452b
SHA1 hash:
9f135a396459c2ef6b501fd6a0ad66d683da7e24
Link:
https://www.unpac.me/results/dcdd2e21-e499-4dee-87c0-e64ee543a341/
SH256 hash:
2069b8009a9e0ef650c893080321008d73698655209dd6e8b1a1ad49362ea2ea
MD5 hash:
13852fb168fce006e4e784545e8aff77
SHA1 hash:
b4f728713495bdf6c93f4e9ab778f812bd0b52b0
Link:
https://www.unpac.me/results/dcdd2e21-e499-4dee-87c0-e64ee543a341/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55b779f35f7ba5b7e409de245f0c6c8c2f7f38292f7d33b42e65f1fe4cbe6ee9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

rar debf06b67e40b6983a05884c32c82bf821fc83d57019fb214c4874c5b4dfd342

AsyncRAT

Executable exe 55b779f35f7ba5b7e409de245f0c6c8c2f7f38292f7d33b42e65f1fe4cbe6ee9

(this sample)

  
Dropped by
MD5 be61aebcd7e87ee3f57562a6ee39b1cd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 debf06b67e40b6983a05884c32c82bf821fc83d57019fb214c4874c5b4dfd342
Cape
Cape
https://www.capesandbox.com/analysis/70916/

Comments