MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57311d2b4a33c4cd2dd65302938876a40539eec1cea6df82539dce8e9c2f29ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57311d2b4a33c4cd2dd65302938876a40539eec1cea6df82539dce8e9c2f29ae
SHA3-384 hash: 7b6ee6ee521e8d478551e222c9cb2b2580f13bbe8f7f84bb8a723a615494b3d46e3d15cc9a075ff3487aad114c8104e9
SHA1 hash: 00c17c4d24aa4892b4afd2de36f8e79ebed9749d
MD5 hash: cb617fb45decfb004a575353995f33c5
humanhash: cardinal-india-chicken-robert
File name:ORDER-210309.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:5'251'547 bytes
First seen:2021-03-09 11:05:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94984869e1c4b93c0069850d9e3b564b (2 x AsyncRAT, 2 x CobaltStrike, 1 x CoinMiner)
ssdeep 98304:T0VJ9FevYYMeBFh5iFIRv2Vb84BnvyBQPnRNJe1B+XKrbFAuacBSA:TineMeR5U84SGRNJpRua
Threatray 33 similar samples on MalwareBazaar
TLSH 88363399F1B149F1ECF7C939C862C826EF323D1F07549A97128822D75F63B64292B385
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: server1.mepclogistics.icu
Sending IP: 162.0.237.90
From: Henning Scheider <info@federated.ca>
Reply-To: info@federated.ca
Subject: BANK DETAILS FOR ATTACHED ORDER
Attachment: ORDER-210309.img (contains "ORDER-210309.exe")

AsyncRAT paylod URL:
http://transfer.sh/get/sxPvF/stub.exe

AsyncRAT c2:
chongmei33.publicvm.com:2703 (46.243.221.26)

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER-210309.exe
Verdict:
No threats detected
Analysis date:
2021-03-09 11:08:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/06dda8d8-21ce-4857-bf49-4059020aa4a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123157/
Detection(s):
SecuriteInfo.com.PE_File_pyinstaller.16060.21689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Deleting a recently created file
DNS request
Sending an HTTP GET request
Moving a file to the %temp% subdirectory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Sending a UDP request
Sending a custom TCP request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/632590
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Sigma detected: Add file from suspicious location to autostart registry
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365262 Sample: ORDER-210309.exe Startdate: 09/03/2021 Architecture: WINDOWS Score: 100 101 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->101 103 Found malware configuration 2->103 105 Yara detected AsyncRAT 2->105 107 5 other signatures 2->107 11 ORDER-210309.exe 14 2->11         started        14 stub.exe 46 2->14         started        16 stub.exe 2->16         started        process3 file4 87 11 other files (none is malicious) 11->87 dropped 18 ORDER-210309.exe 5 11->18         started        75 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 14->75 dropped 77 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 14->77 dropped 79 C:\Users\user\AppData\Local\...\win32pipe.pyd, PE32+ 14->79 dropped 89 26 other files (none is malicious) 14->89 dropped 22 stub.exe 14->22         started        81 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 16->81 dropped 83 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 16->83 dropped 85 C:\Users\user\AppData\Local\...\win32pipe.pyd, PE32+ 16->85 dropped 91 26 other files (none is malicious) 16->91 dropped 25 stub.exe 16->25         started        process5 dnsIp6 95 transfer.sh 144.76.136.153, 443, 49706, 49714 HETZNER-ASDE Germany 18->95 73 C:\Users\user\AppData\...\stub.exe4t3j1z.tmp, PE32+ 18->73 dropped 27 cmd.exe 1 18->27         started        109 Adds a directory exclusion to Windows Defender 22->109 29 powershell.exe 22->29         started        31 powershell.exe 25->31         started        file7 signatures8 process9 process10 33 stub.exe 46 27->33         started        36 conhost.exe 27->36         started        38 conhost.exe 29->38         started        40 conhost.exe 31->40         started        file11 65 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 33->65 dropped 67 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 33->67 dropped 69 C:\Users\user\AppData\Local\...\win32pipe.pyd, PE32+ 33->69 dropped 71 26 other files (none is malicious) 33->71 dropped 42 stub.exe 8 33->42         started        process12 dnsIp13 99 transfer.sh 42->99 93 C:\Users\user\AppData\...\serviceman.exe, PE32 42->93 dropped 117 Adds a directory exclusion to Windows Defender 42->117 47 cmd.exe 1 42->47         started        49 cmd.exe 1 42->49         started        51 powershell.exe 23 42->51         started        file14 signatures15 process16 process17 53 serviceman.exe 2 47->53         started        57 conhost.exe 47->57         started        59 reg.exe 1 1 49->59         started        61 conhost.exe 49->61         started        63 conhost.exe 51->63         started        dnsIp18 97 chongmei33.publicvm.com 46.243.221.43, 2703, 49717 VOXILITYGB Netherlands 53->97 111 Antivirus detection for dropped file 53->111 113 Machine Learning detection for dropped file 53->113 115 Creates autostart registry keys with suspicious names 59->115 signatures19
Gathering data
Threat name:
Win64.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-09 07:48:45 UTC
AV detection:
2 of 47 (4.26%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4yr2k2kgpcm2lowkmbjhcdwuqctt3wbz2tn7asttxhi5hbpfgxa._file
Verdict:
unknown
Similar samples:
00383e0cef95de02bac4a4725234f5430202e33f1d80b1dd299d682590e6d2f9
AsyncRAT
11123fd370dfdb5d9d5cade853fa923679377c7791bda00d2f415078e2729e65
AsyncRAT
30eb8727af3b8a2f4551574c7d826e9f27480e79d242b92d392b1f64091acf12
AsyncRAT
314ce9b62cecb9435d9ff2338943e4e784cbfbaf9a65dbda7fe1064f477afe41
AsyncRAT
3dcdb90a6140612a5ca5e3a3e7efbc82c43766355399965a200a5753fd1273ad
AsyncRAT
485fcf4c2834e20d71b6765eccd79f6b0880d6a9fdc5d3e519a943862e9b8246
AsyncRAT
9cc659b2ca813ac76fd302254522e11352627942aa96a256da9f82ea269e6d94
AsyncRAT
a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037
AsyncRAT
ea1213c0a684662e8305cfe1c6eeebbb12a9d1404e7571438d3730cc1df1caab
AsyncRAT
f42c71d191748551be0bbb356e4dc638c60fbdc906e7d6536ed4512c5c7eab3e
AsyncRAT
+ 23 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence pyinstaller rat
Link:
https://tria.ge/reports/210309-cbycl41qa6/
Behaviour
Modifies registry key
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:49703
chongmei33.publicvm.com:49746
185.165.153.116:2703
185.165.153.116:49703
185.165.153.116:49746
54.37.36.116:2703
54.37.36.116:49703
54.37.36.116:49746
185.244.30.92:2703
185.244.30.92:49703
185.244.30.92:49746
dongreg202020.duckdns.org:2703
dongreg202020.duckdns.org:49703
dongreg202020.duckdns.org:49746
178.33.222.241:2703
178.33.222.241:49703
178.33.222.241:49746
rahim321.duckdns.org:2703
rahim321.duckdns.org:49703
rahim321.duckdns.org:49746
79.134.225.92:2703
79.134.225.92:49703
79.134.225.92:49746
37.120.208.36:2703
37.120.208.36:49703
37.120.208.36:49746
178.33.222.243:2703
178.33.222.243:49703
178.33.222.243:49746
87.98.245.48:2703
87.98.245.48:49703
87.98.245.48:49746
Unpacked files
SH256 hash:
57311d2b4a33c4cd2dd65302938876a40539eec1cea6df82539dce8e9c2f29ae
MD5 hash:
cb617fb45decfb004a575353995f33c5
SHA1 hash:
00c17c4d24aa4892b4afd2de36f8e79ebed9749d
Link:
https://www.unpac.me/results/1cdc85bb-4565-4aad-ba36-bc6d2af6d714/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57311d2b4a33c4cd2dd65302938876a40539eec1cea6df82539dce8e9c2f29ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

img c62a5559c50c7c2d7cdd81bed7864b6acc0ef0c2e9687a389d33f058fef28cfa

AsyncRAT

Executable exe 57311d2b4a33c4cd2dd65302938876a40539eec1cea6df82539dce8e9c2f29ae

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1056638/
  
Dropped by
MD5 f878101fe61568c5c68b23776ba5b478
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/123157/
  
Dropped by
SHA256 c62a5559c50c7c2d7cdd81bed7864b6acc0ef0c2e9687a389d33f058fef28cfa

Comments