MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56f27a73c491313639665758a863f1d00871d0b37077a03bfd5d50a4689d273d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56f27a73c491313639665758a863f1d00871d0b37077a03bfd5d50a4689d273d
SHA3-384 hash: bbeadb0af83a81b0f3b13ecef3f7e2aee629a80be762d0d79e01420e54b29b0e1f035b206c97f5e22610f59302332281
SHA1 hash: 264411380873a0f9d3336e195b36971354951c9c
MD5 hash: d33d77466f01de1cda784d879c2ee7b8
humanhash: zulu-robert-massachusetts-robin
File name:Chicago_capital one bank confirmation.pdf .exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:690'176 bytes
First seen:2020-08-10 12:49:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ce9dc34dcdc6dcac1abc92d3ec049de7 (11 x AgentTesla, 4 x MassLogger, 2 x FormBook)
ssdeep 12288:lQoTCHdOasekxlSBWq6UDb9BxgMBFGCeR7HcKLyVy:e4UOaeCWal93GVRLjuy
Threatray 2'704 similar samples on MalwareBazaar
TLSH 1FE4395AA190C433C363E57BEC0FD6F364167D8AA72416472BE57E0CAA372712C1627E
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: mailrelay1-3.pub.mailoutpod1-cph3.one.com
Sending IP: 46.30.212.10
From: <order@swedbrasil.com>
Reply-To: <order@swedbrasil.com>
Subject: BANK CONFIRMATION CAPITAL ONE CHICAGO
Attachment: Chicago_capital one bank confirmation.img (contains "Chicago_capital one bank confirmation.pdf .exe")

AsyncRAT C2:
45.143.223.34:3218

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42769/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BScope.Adware.Kraddare.1524.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/416913
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260619 Sample: Chicago_capital one bank co... Startdate: 10/08/2020 Architecture: WINDOWS Score: 100 69 Yara detected AntiVM_3 2->69 71 Yara detected AsyncRAT 2->71 73 Sigma detected: Drops script at startup location 2->73 75 5 other signatures 2->75 14 Chicago_capital one bank confirmation.pdf .exe 2->14         started        17 wscript.exe 1 2->17         started        process3 signatures4 99 Writes to foreign memory regions 14->99 101 Allocates memory in foreign processes 14->101 103 Queues an APC in another process (thread injection) 14->103 19 notepad.exe 5 14->19         started        23 library.exe 17->23         started        process5 file6 61 C:\Users\user\AppData\Roaming\...\library.exe, PE32 19->61 dropped 63 C:\Users\user\...\library.exe:Zone.Identifier, ASCII 19->63 dropped 65 C:\Users\user\AppData\Roaming\...\library.vbs, ASCII 19->65 dropped 79 Creates files in alternative data streams (ADS) 19->79 81 Drops VBS files to the startup folder 19->81 25 library.exe 19->25         started        83 Maps a DLL or memory area into another process 23->83 28 library.exe 23->28         started        30 library.exe 3 23->30         started        signatures7 process8 signatures9 87 Detected unpacking (changes PE section rights) 25->87 89 Detected unpacking (creates a PE file in dynamic memory) 25->89 91 Detected unpacking (overwrites its own PE header) 25->91 93 2 other signatures 25->93 32 library.exe 2 25->32         started        35 library.exe 25->35         started        37 library.exe 28->37         started        process10 dnsIp11 67 45.143.223.34, 3218, 49717 ZUMYNL Netherlands 32->67 85 Maps a DLL or memory area into another process 37->85 40 library.exe 37->40         started        42 library.exe 2 37->42         started        signatures12 process13 process14 44 library.exe 40->44         started        signatures15 97 Maps a DLL or memory area into another process 44->97 47 library.exe 44->47         started        49 library.exe 44->49         started        process16 process17 51 library.exe 47->51         started        signatures18 77 Maps a DLL or memory area into another process 51->77 54 library.exe 51->54         started        56 library.exe 51->56         started        process19 process20 58 library.exe 54->58         started        signatures21 95 Maps a DLL or memory area into another process 58->95
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56f27a73c491313639665758a863f1d00871d0b37077a03bfd5d50a4689d273d/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 12:51:06 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3zhu46eseytmolgk5mkqy7r2aehduftob32ao75lviki2e5e46q._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
13c555d2bc29bc384b7c496c0aefadfbe38d7b415e11c43bdbcfdf702062d1f3
AsyncRAT
298e36ccbf66428cba5cf385f3bb33d4c807aa707ff06d66869e7d584b3e5287
AsyncRAT
3ddfcc0ce0a57e7f3131d0ba603d6516f00c6cf94f67e79ab38a7e8f922f74bc
AsyncRAT
6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6
AsyncRAT
7ab75859697472c8bda10b6cb7e7ffa7c8f5ce5eae3e7c67a565ffad2c6de83b
AsyncRAT
91aec1cffe5f0160137ab5d98b28a1c381465abbb7ad8c2c1c8dd6df05345e34
AsyncRAT
a6df90a24c8100b2ce198b1d3aee1f5bc78d6ab846911a58a0183f4c72912217
AsyncRAT
a9abad7f4aace35de5651f437a83f47787606345d04ea63426db6a7a9b02ba5e
AsyncRAT
e3a18338921238575f176f679030eac3352c24066d8da0602b3c8b4e75bb1bad
AsyncRAT
e45aa38e4f734a6b5e9d8e55d3b71b16e4ae389eb7c857bbdaa98fb47e1d9ef3
AsyncRAT
+ 2'694 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
upx rat family:asyncrat
Link:
https://tria.ge/reports/200810-d57t491cfx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious use of SetThreadContext
Loads dropped DLL
Drops startup file
Executes dropped EXE
UPX packed file
Async RAT payload
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56f27a73c491313639665758a863f1d00871d0b37077a03bfd5d50a4689d273d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

img ecd1e6c82bbe83111ac4ecac4b4b45b373b68762df4872b37fd42bdff27d8574

AsyncRAT

Executable exe 56f27a73c491313639665758a863f1d00871d0b37077a03bfd5d50a4689d273d

(this sample)

  
Dropped by
MD5 0adf6c503f90dcf34f0d7f498cc4dc79
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ecd1e6c82bbe83111ac4ecac4b4b45b373b68762df4872b37fd42bdff27d8574
Cape
Cape
https://www.capesandbox.com/analysis/42769/

Comments