MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 608e60e4a09dab9537b70b34a5497e8fd885449a8b3789d8f7412d29ea91387e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 608e60e4a09dab9537b70b34a5497e8fd885449a8b3789d8f7412d29ea91387e
SHA3-384 hash: 0df69f18597ff414e256784fd81ce354dee320f7b581d1c4ccdf2e561b30a7e768394e16988d3b95503a602543cc8e6e
SHA1 hash: 32d91ea2aa5833fb6bbd970d5052d10bccdb2511
MD5 hash: 4ca6033ca637f255b077a9a55a3085a2
humanhash: jersey-ohio-jupiter-mobile
File name:4ca6033ca637f255b077a9a55a3085a2.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:814'680 bytes
First seen:2021-12-21 20:41:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:uiR8wMJhpYMiGS/xGNPdwbffY3n5/hTwCB:uomIpGIfwXRpwQ
Threatray 37 similar samples on MalwareBazaar
TLSH T1CD05F1E4C55C0AFBE0636A3240670B385F6C1DA37653BA0E4174CFBEDE8EED25026599
File icon (PE):PE icon
dhash icon ceccc4c6cef0f2d4 (9 x AsyncRAT, 1 x NanoCore, 1 x BitRAT)
Reporter abuse_ch
Tags:AsyncRAT exe RAT signed

Code Signing Certificate

Organisation:google inc
Issuer:google inc
Algorithm:sha1WithRSAEncryption
Valid from:2021-12-17T19:00:37Z
Valid to:2022-12-17T19:00:37Z
Serial number: ce9ea0a49562fbd8361fb75bc175ccb2
Thumbprint Algorithm:SHA256
Thumbprint: c4ee78d1020b0f11fcb60f17fcc670283ee4e99707c63d77da5ef9682ba9c791
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
AsyncRAT C2:
107.172.44.141:6606

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
107.172.44.141:6606 https://threatfox.abuse.ch/ioc/280560/

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ca6033ca637f255b077a9a55a3085a2.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-21 20:44:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/db54fce6-bca8-49be-805d-2132d5b83bdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215702/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a window
Changing a file
Creating a file
Sending a custom TCP request
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Blocking the User Account Control
Forced shutdown of a system process
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed samas
Link:
https://www.filescan.io/uploads/61c23c1d4ab5c44cbf4bdfd8/reports/d41d0c86-2fbd-4315-bf8a-67e570ab1bf8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/548cb59b-6abb-400f-901a-8a5b5bb23ec6
Result
Threat name:
AsyncRAT GhostRat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/911219
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Microsoft Workflow Compiler
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected GhostRat
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 543694 Sample: o53WTMuCfc.exe Startdate: 21/12/2021 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected UAC Bypass using CMSTP 2->51 53 10 other signatures 2->53 7 o53WTMuCfc.exe 6 7 2->7         started        11 svchost.exe 2->11         started        14 svchost.exe 2->14         started        16 svchost.exe 1 2->16         started        process3 dnsIp4 39 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\...\o53WTMuCfc.exe.log, ASCII 7->41 dropped 55 Creates an autostart registry key pointing to binary in C:\Windows 7->55 57 Writes to foreign memory regions 7->57 59 Adds a directory exclusion to Windows Defender 7->59 61 Drops PE files with benign system names 7->61 18 aspnet_compiler.exe 7->18         started        21 powershell.exe 24 7->21         started        23 powershell.exe 24 7->23         started        25 9 other processes 7->25 45 192.168.2.1 unknown unknown 11->45 63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 file5 signatures6 process7 dnsIp8 43 107.172.44.141, 49784, 6606 AS-COLOCROSSINGUS United States 18->43 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        process9
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/608e60e4a09dab9537b70b34a5497e8fd885449a8b3789d8f7412d29ea91387e/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 23:36:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mchgbzfatwvzkn5xbm2kksl6r7mikre2rm3ytwhxiewst2urhb7a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0d191570930382397a371a8f1fb19bd8aa7151e2f48090b11a473d65db5e0cb5
AsyncRAT
16ddda7e3bc7f3b487325b51715c01ab3cca61e582dd7e147e5ad46da9b9b1ad
AsyncRAT
3b5e31e4b62087dfa7cac1a39c31896d25d465c971fe1db3e9a9271471ce416d
AsyncRAT
3c4f9e2ee772689549b460628a78cc6f0c04255d3195e69f5ac9d4e30cf14461
AsyncRAT
8363ec66488bc7a791bdee2ba827df1e4e191d2a70851f8a9da26da561f31c7a
AsyncRAT
b830b088dcc04db74fc8afbb16dcfff0134c405228be44df5d996a9a5b254bff
AsyncRAT
c149538ce2321477d126a3495910c742a189615859a380b807cc19027b33001b
AsyncRAT
c8352baa0192f9bdbf7b0d47d76f9b592ba602ea001fdc21e281899eb3209a6c
AsyncRAT
dcc56c9c71af674705edbdd9352ee9de18ee733b26bbda73db83bbfcfba97a74
AsyncRAT
+ 27 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default evasion persistence rat trojan
Link:
https://tria.ge/reports/211221-zg1hgseeg7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Windows security modification
Async RAT payload
AsyncRat
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
107.172.44.141:6606
107.172.44.141:7707
107.172.44.141:8808
Unpacked files
SH256 hash:
608e60e4a09dab9537b70b34a5497e8fd885449a8b3789d8f7412d29ea91387e
MD5 hash:
4ca6033ca637f255b077a9a55a3085a2
SHA1 hash:
32d91ea2aa5833fb6bbd970d5052d10bccdb2511
Link:
https://www.unpac.me/results/08c4d802-a5f2-47f6-b5f0-e7ac747fc522/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/608e60e4a09dab9537b70b34a5497e8fd885449a8b3789d8f7412d29ea91387e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/215702/

Comments