MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 577e9a280fa8118a011ed908623c6cf4eafd923d59e4e60ca450932db5322cf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 577e9a280fa8118a011ed908623c6cf4eafd923d59e4e60ca450932db5322cf4
SHA3-384 hash: f7e172eeeb2915cc9110c46149ab106bedf0256841e83ec65aa16c4d58c976ae76d054f170be082fa789356fc6b8e45a
SHA1 hash: e857bd0955ddae3d3c3e2b4c7d0f8729d8a4edf6
MD5 hash: 26f4c85b843cb3a6ddca8a1546a32570
humanhash: oregon-arizona-violet-beryllium
File name:SwiftMessage-PDF.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:431'104 bytes
First seen:2020-11-06 07:07:55 UTC
Last seen:2020-11-06 08:42:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:yoFQImAXJCl0u9O/s7jfn7TG6R3zhj3+JXnKP:fFxmXl08/X/3FFSXnK
Threatray 422 similar samples on MalwareBazaar
TLSH D29440F081DE1062E25F8575767D7E6842B2B0CBEFDA6A58137CE1301BAEA633B0550D
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: mailer11-1.incnets.com
Sending IP: 210.6.92.71
From: albert_lcn@shrirographic.com.hk
Subject: Payment Return
Attachment: SwiftMessage-PDF.z (contains "SwiftMessage-PDF.exe")

AsyncRAT C2:
finishfarm.duckdns.org

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.4270.24157.13854.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/522178
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 310188 Sample: SwiftMessage-PDF.exe Startdate: 06/11/2020 Architecture: WINDOWS Score: 92 63 finishfarm.duckdns.org 2->63 67 Multi AV Scanner detection for dropped file 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected AsyncRAT 2->71 73 5 other signatures 2->73 9 SwiftMessage-PDF.exe 1 4 2->9         started        13 task.exe 2->13         started        15 vlc.exe 1 2->15         started        17 vlc.exe 2->17         started        signatures3 process4 file5 57 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 9->57 dropped 59 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 9->59 dropped 61 C:\Users\user\...\SwiftMessage-PDF.exe.log, ASCII 9->61 dropped 75 Injects a PE file into a foreign processes 9->75 77 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->77 19 SwiftMessage-PDF.exe 6 9->19         started        79 Multi AV Scanner detection for dropped file 13->79 81 Machine Learning detection for dropped file 13->81 21 vlc.exe 6 15->21         started        24 vlc.exe 17->24         started        signatures6 process7 dnsIp8 27 cmd.exe 1 19->27         started        29 cmd.exe 1 19->29         started        55 C:\Users\user\AppData\Roaming\task.exe, PE32 21->55 dropped 31 cmd.exe 21->31         started        33 cmd.exe 21->33         started        65 finishfarm.duckdns.org 185.244.30.139, 49760, 49761, 49762 DAVID_CRAIGGG Netherlands 24->65 35 cmd.exe 24->35         started        file9 process10 process11 37 task.exe 27->37         started        39 conhost.exe 27->39         started        41 timeout.exe 1 27->41         started        43 conhost.exe 29->43         started        45 schtasks.exe 1 29->45         started        51 3 other processes 31->51 47 conhost.exe 33->47         started        49 schtasks.exe 33->49         started        53 2 other processes 35->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/577e9a280fa8118a011ed908623c6cf4eafd923d59e4e60ca450932db5322cf4/
Threat name:
ByteCode-MSIL.Infostealer.Maslog
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 06:17:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k57jukapvaiyuai63eegepdm6tvp3er5lhsomdfekcjs3njsft2a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
02dd12ec33f4f1d1bbf4f3479ad5bc88be2a1c92f19461e6f25a754e213abc42
AsyncRAT
0dea20e41047659c9a7a7ef93599d0c918fe26e2322db8fb3e9ef333c5a48ca2
AsyncRAT
1c3d30d7637b1a6fb648b1cf1de6c7a8375337327cd243f87d525c109554db7d
AsyncRAT
341c2ff06edc558131f9517ebabf0ce7676457cc1d33c5ab7189961d0b28b0b8
AsyncRAT
632fad824e77666d3ccb676808a2f04eb349f1f0f1495e75b37aa47e690ffe14
AsyncRAT
99292ae82aea1cc66b3fbd7e9aa4139af2af3b5ea9be01ca2da1dfadabd24008
AsyncRAT
a16602864c33b68b083a8a404c6500b44bf3247c474071cb7dd4216a39e5347e
AsyncRAT
de414479c5733e9e4ef7d9876b54037f05fb659837ae4efd62791013c75f2b78
AsyncRAT
e45c663a64882bcbb2314a2cf6bd2da6db9b1697df4a9c96c24f4dd834e7b662
AsyncRAT
ebb67fcc05af7a919e225a7a1f8c5bfbd65b28c22f4659527b0afb4f968ccd49
AsyncRAT
+ 412 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/201106-vscqntp8cn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
finishfarm.duckdns.org:6606
Unpacked files
SH256 hash:
7b931fcc450ad602d1dbe4801765579ded130acb3c79174cc9c901505e8f6ad5
MD5 hash:
b6147ed044c99dc77f3845cbb36295e4
SHA1 hash:
0bc07cf766ec98d5cff305dfba07083fc146fd01
Link:
https://www.unpac.me/results/1d82fc40-0fa2-411d-9fa4-3f7c06ac9944/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/1d82fc40-0fa2-411d-9fa4-3f7c06ac9944/
SH256 hash:
c74161f54ba23dc9a55c92a401b65c8cf5b5276f50c2be6740639c25ee7c6e48
MD5 hash:
6df9890c8daf8c313d28f5eb8fd8663a
SHA1 hash:
b880732270e1ee1c97a669ea1294001b7f5414ac
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/1d82fc40-0fa2-411d-9fa4-3f7c06ac9944/
SH256 hash:
577e9a280fa8118a011ed908623c6cf4eafd923d59e4e60ca450932db5322cf4
MD5 hash:
26f4c85b843cb3a6ddca8a1546a32570
SHA1 hash:
e857bd0955ddae3d3c3e2b4c7d0f8729d8a4edf6
Link:
https://www.unpac.me/results/1d82fc40-0fa2-411d-9fa4-3f7c06ac9944/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip 77e5d967eeca960438264cc0604de95853a50da5d3edb0b2b2df02da96d7bda4

AsyncRAT

Executable exe 577e9a280fa8118a011ed908623c6cf4eafd923d59e4e60ca450932db5322cf4

(this sample)

  
Dropped by
MD5 9be972ba503bdbf5ddd220af931372ab
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 77e5d967eeca960438264cc0604de95853a50da5d3edb0b2b2df02da96d7bda4

Comments