MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e4bbf19a6e055cc6c2c98ef38288f3465c30e25542b735fbfca921fdb8b95f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	5e4bbf19a6e055cc6c2c98ef38288f3465c30e25542b735fbfca921fdb8b95f9
SHA3-384 hash:	a84f01ff422fa0df147bf17aa5a18ba19cfad326c72857803396b1042eda10a1f1cef404189fa708d87f7d424b11fc01
SHA1 hash:	91eb8879cc44f8361454eb89756fc902e73c3cb1
MD5 hash:	32cc876191795965e3d5f80cfa90ab3d
humanhash:	juliet-nineteen-thirteen-shade
File name:	5E4BBF19A6E055CC6C2C98EF38288F3465C30E25542B7.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	498'176 bytes
First seen:	2022-01-24 19:37:10 UTC
Last seen:	2022-01-24 21:58:18 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:yVuZsPtDqt2rqZaiFZnfeZQ/X5vTSMAjE/x7ALPRFVhZdY3CKbbz:IuSPqutMS/G
Threatray	72 similar samples on MalwareBazaar
TLSH	T15CB42B343EEA5029B273FF699AE4359BE95FBB633B03584D106103864B23A41DED153D
Reporter	abuse_ch
Tags:	AsyncRAT exe RAT

abuse_ch

AsyncRAT C2:
95.179.130.232:1703

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
95.179.130.232:1703	https://threatfox.abuse.ch/ioc/317546/

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/222061/

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.14.6694.15843.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Creating a file in the %temp% directory

DNS request

Сreating synchronization primitives

Creating a window

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cerbu obfuscated

Link:

https://www.filescan.io/uploads/61ef00210f8c757253e34bbf/reports/3fa9883f-759a-40fd-8ec1-0562f4193ec0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/58ee9ddd-3e50-4f39-abaa-d78ef108ff64

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/926591

Signature

.NET source code contains very large strings

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected MSIL Injector

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5e4bbf19a6e055cc6c2c98ef38288f3465c30e25542b735fbfca921fdb8b95f9/

Threat name:

ByteCode-MSIL.Backdoor.Convagent

Status:

Malicious

First seen:

2022-01-24 01:34:00 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

24 of 43 (55.81%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lzf36gng4bk4y3bmtdxtqkepgrs4gdrfkqvxgx57zkjb7w4lsx4q._file

Verdict:

malicious

Label(s):

asyncrat

AsyncRAT

5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078

AsyncRAT

6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5

AsyncRAT

716408476bc23c3e74a852ed6246dd60e8ed18533bedc13d4984279c97cd1a74

AsyncRAT

9f4d88e9eeae7ffc241646d0233acb29bedbc9bc0c124b949567a894f8af6f54

AsyncRAT

c07aff77a2523b0fa86790e3dab7341e75fa557cdcb7f850b5cc803f6260cf88

AsyncRAT

cdbed3a79d37d581fc5be268df61e13aaafa5c88a001f4e8b298d77c4b37ae13

AsyncRAT

d0f8a2be536ca434da7734bd318d2a88ea5005f47d518c30ff611185f42c3701

AsyncRAT

+ 62 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat evasion rat

Link:

https://tria.ge/reports/220124-ycdmgshdh8/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Modifies Windows Firewall

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

dhciaicjzis.xyz:1703
aisviua77s.xyz:1703
sakivivjasiv8cozo3.cn:1703
asidivuvuas8rnvns73.xyz:1703
dsijfiudsfiashvu7ds43.xyz:1703

Unpacked files

SH256 hash:

5e4bbf19a6e055cc6c2c98ef38288f3465c30e25542b735fbfca921fdb8b95f9

MD5 hash:

32cc876191795965e3d5f80cfa90ab3d

SHA1 hash:

91eb8879cc44f8361454eb89756fc902e73c3cb1

Link:

https://www.unpac.me/results/00408db0-91d1-48bb-a942-f777951686ee/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/5e4bbf19a6e055cc6c2c98ef38288f3465c30e25542b735fbfca921fdb8b95f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing bas64 encoded gzip files

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/222061/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample