MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 641073a7b38fa3b3e938af4810596eaf53a89e565919dc505bf055f091d0b509. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 641073a7b38fa3b3e938af4810596eaf53a89e565919dc505bf055f091d0b509
SHA3-384 hash: cfdac2b6ed880e3980d6663e8d7738d45f502d45933894c40066abe89ec46077a43faef564f1d308b456677bff4ec93d
SHA1 hash: 0021818c5bbc147738f323a98e42131411471db8
MD5 hash: c4bb2285a9f20e982707e4c9ee4f7e35
humanhash: mirror-sad-zulu-whiskey
File name:641073a7b38fa3b3e938af4810596eaf53a89e565919d.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:832'512 bytes
First seen:2021-04-30 07:55:21 UTC
Last seen:2021-04-30 09:03:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:OqvaoVwpeSpX4eo75OjQ+PS0bsjtP9BJjmgR:aoIVX4emv0bsjTBJjmA
Threatray 34 similar samples on MalwareBazaar
TLSH 3F054A1423F88B15FEEE1B35A4F049055BF5EC67A1B1E78E5A44B1AAD873B418C1C3A3
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
193.142.146.202:36186

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.142.146.202:36186 https://threatfox.abuse.ch/ioc/25068/
193.142.146.202:8808 https://threatfox.abuse.ch/ioc/26627/

Intelligence

File Origin
# of uploads :
3
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147265/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46202455.8623.4445.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Creating a file in the %AppData% directory
Creating a file
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Moving a recently created file
Setting a global event handler
Replacing files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/704272
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 401060 Sample: 641073a7b38fa3b3e938af48105... Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Antivirus detection for dropped file 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 9 other signatures 2->86 8 641073a7b38fa3b3e938af4810596eaf53a89e565919d.exe 4 9 2->8         started        process3 file4 56 C:\Users\user\...\aposffffsggfgffot.exe, PE32 8->56 dropped 58 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 8->58 dropped 60 C:\...\aposffffsggfgffot.exe:Zone.Identifier, ASCII 8->60 dropped 62 2 other files (1 malicious) 8->62 dropped 94 Creates an undocumented autostart registry key 8->94 96 Writes to foreign memory regions 8->96 98 Injects a PE file into a foreign processes 8->98 12 RegAsm.exe 16 7 8->12         started        16 wscript.exe 1 8->16         started        19 AdvancedRun.exe 1 8->19         started        21 AdvancedRun.exe 1 8->21         started        signatures5 process6 dnsIp7 72 193.142.146.202, 49725, 49738, 8808 HOSTSLICK-GERMANYNL Netherlands 12->72 74 pastebin.com 104.23.99.190, 443, 49724 CLOUDFLARENETUS United States 12->74 64 C:\Users\user\AppData\Local\Temp\tebhjt.exe, PE32 12->64 dropped 66 C:\Users\user\AppData\Local\Temp\sjubbq.exe, PE32+ 12->66 dropped 68 C:\Users\user\AppData\Local\Temp\rpgxsm.exe, PE32 12->68 dropped 70 C:\Users\user\AppData\Local\Temp\dcdpuw.exe, PE32 12->70 dropped 23 cmd.exe 12->23         started        26 cmd.exe 12->26         started        28 cmd.exe 12->28         started        30 cmd.exe 12->30         started        76 Wscript starts Powershell (via cmd or directly) 16->76 78 Adds a directory exclusion to Windows Defender 16->78 32 powershell.exe 16->32         started        34 AdvancedRun.exe 19->34         started        36 AdvancedRun.exe 21->36         started        file8 signatures9 process10 signatures11 88 Suspicious powershell command line found 23->88 90 Wscript starts Powershell (via cmd or directly) 23->90 92 Bypasses PowerShell execution policy 23->92 38 conhost.exe 23->38         started        40 powershell.exe 23->40         started        42 conhost.exe 26->42         started        44 powershell.exe 26->44         started        46 conhost.exe 28->46         started        48 powershell.exe 28->48         started        50 conhost.exe 30->50         started        52 powershell.exe 30->52         started        54 conhost.exe 32->54         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/641073a7b38fa3b3e938af4810596eaf53a89e565919dc505bf055f091d0b509/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-28 19:42:00 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqihhj5tr6r3h2jyv5ebawlov5j2rhswlem5yuc36bk7beoqwueq._file
Verdict:
malicious
Similar samples:
029626fb22c7446fc6f2abd2551252a08507c68fd035d41694e2c77b6e868698
AsyncRAT
1db8dca90cc4f57b8d96737bd5efb3493b1b62bf222d39740334ef1927214c6e
AsyncRAT
30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513
AsyncRAT
4f450fcf02d7006fd4fbea8c2cad999397672d44864f1e8c504633ce53c3d53d
AsyncRAT
79e2a3311700e87e6d5e4d5f8e23f8f6b5500aa9e25e71afb016df130f21bae0
AsyncRAT
9463fd33646ba1e72825b00914cc2d5dfef3e31a584cc717e634fe1f685ba6da
AsyncRAT
c902ee96e1452a3d04cc4714bc9907a0434ec3d3a6865ef61f4f9fda15ccff26
AsyncRAT
d431d6c234dfb75c3fad9cfe53c800e68eec1df826aeee43cc02d802a234e0c2
AsyncRAT
da1fba1d66a44b77440ec136dec09f921d932d5ece0d35030e7c22d50f73bc8a
AsyncRAT
e0fe9f8bd65d5a1ffcca6994e9883143c4cb4f51ec33fab4105c30bec01cea69
AsyncRAT
+ 24 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/210430-ybjt7b1vh6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
Nirsoft
AsyncRat
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
5ddfe4e2c2491a27820d91035ab5d3f4eedee81b39976e9fd9ae6f23d80440ae
MD5 hash:
1708269ff31983c6ee751ffc13889416
SHA1 hash:
bfbb34e5b592e3a0b02752b8d3b20e7f96c7c179
Link:
https://www.unpac.me/results/e6ca392d-1bc0-4576-9489-b57d93f5caa5/
SH256 hash:
63229e300a10f26c5ec9c88561d31d47bb34bf2877c118aea6ad15b3b0801e89
MD5 hash:
72cccd5582e4a576c3bf907174f033a9
SHA1 hash:
aa0e2470cb8e3f32ee55a977669885ed6e1b534b
Link:
https://www.unpac.me/results/e6ca392d-1bc0-4576-9489-b57d93f5caa5/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/e6ca392d-1bc0-4576-9489-b57d93f5caa5/
SH256 hash:
7ed9b930922016afd4c780e03893cb60fd97920ecc79b5d640c565c75d50885b
MD5 hash:
a281d1d754e429550a8392a6b41b7f52
SHA1 hash:
3fc863123f9b4520696997d3bdb5b0b0dd6546b7
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/e6ca392d-1bc0-4576-9489-b57d93f5caa5/
SH256 hash:
641073a7b38fa3b3e938af4810596eaf53a89e565919dc505bf055f091d0b509
MD5 hash:
c4bb2285a9f20e982707e4c9ee4f7e35
SHA1 hash:
0021818c5bbc147738f323a98e42131411471db8
Link:
https://www.unpac.me/results/e6ca392d-1bc0-4576-9489-b57d93f5caa5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/641073a7b38fa3b3e938af4810596eaf53a89e565919dc505bf055f091d0b509

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147265/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 08:07:11 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program