MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6476d20efbafc2f125919f44a3e70e27e70812f68963c7c3e31f1ce7afe414d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6476d20efbafc2f125919f44a3e70e27e70812f68963c7c3e31f1ce7afe414d0
SHA3-384 hash: db89ca8c435880db5e2c97746d6c18c661afb23c624862ca578dd7009ddacc9c92fa67c51e1819bdebf685e9a891318e
SHA1 hash: 84d2aef996d056042afba2b9b850a5d0b1eaf70a
MD5 hash: df6922e11bb3bcef662789ad970ad6a1
humanhash: oven-alanine-uncle-mexico
File name:MACHINE SPECIFICATIONS.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:711'080 bytes
First seen:2021-07-01 12:38:20 UTC
Last seen:2021-08-31 10:23:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41999ec9d2bb54af1616c904a0650895 (1 x DarkComet, 1 x AsyncRAT, 1 x RaccoonStealer)
ssdeep 12288:BvYQ66KSyqoati7wbGJ0wvgp2ksCsd39JKixuFUskanIp3h:BQQ66X+aQ7wbGJ0wvgp2ksCsd39JKix7
Threatray 6'250 similar samples on MalwareBazaar
TLSH 11E4056EA150B08BD805BCB049B9976A66352C7805C49E07BEB0AB0D29737F37CB571F
Reporter lowmal3
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MACHINE SPECIFICATIONS.exe
Verdict:
Malicious activity
Analysis date:
2021-07-01 12:46:40 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/0ec91527-f72b-437c-b84b-24656b55770d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169156/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.13453.14501.3862.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61e6bf4c-2033-4282-ad4f-bfd6b47508e0
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810548
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442959 Sample: MACHINE SPECIFICATIONS.exe Startdate: 01/07/2021 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected AsyncRAT 2->51 53 3 other signatures 2->53 7 svchost.exe.exe 2->7         started        10 svchost.exe.exe 2->10         started        12 MACHINE SPECIFICATIONS.exe 1 2 2->12         started        15 12 other processes 2->15 process3 dnsIp4 55 Multi AV Scanner detection for dropped file 7->55 57 Machine Learning detection for dropped file 7->57 59 Writes to foreign memory regions 7->59 18 WerFault.exe 19 9 7->18         started        20 RegSvcs.exe 3 7->20         started        22 WerFault.exe 7->22         started        61 Allocates memory in foreign processes 10->61 63 Injects a PE file into a foreign processes 10->63 24 RegSvcs.exe 2 10->24         started        26 WerFault.exe 10->26         started        39 C:\Users\user\AppData\...\svchost.exe.exe, PE32 12->39 dropped 28 RegSvcs.exe 2 12->28         started        31 WerFault.exe 23 9 12->31         started        43 127.0.0.1 unknown unknown 15->43 45 192.168.2.1 unknown unknown 15->45 65 Changes security center settings (notifications, updates, antivirus, firewall) 15->65 33 MpCmdRun.exe 15->33         started        35 3 other processes 15->35 file5 signatures6 process7 dnsIp8 41 leechong444.ddnsgeek.com 191.101.28.10, 46422, 6578 ASDETUKhttpwwwheficedcomGB Chile 28->41 37 conhost.exe 33->37         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6476d20efbafc2f125919f44a3e70e27e70812f68963c7c3e31f1ce7afe414d0/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 12:39:08 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mr3nedx3v7bpcjmrt5ckhzyoe7tqqexwrfr4pq7dd4oopl7ectia._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
59826e007d50e1f3dcda5d2cb2ac50ba32f154da98c1348f7fbfee24f6b29841
AsyncRAT
7c991793d6d9d1b21496bfd5867fc3d991a5f0f5013c0733ab57b2ac89f00a10
AsyncRAT
81e96984130042d0ee70ae09a7bc9375974d513938e80877720d251330e4b37e
AsyncRAT
8adeeedad895d174c55f2d43c1985ff77fc533975cfde64f8dfd99782e4c4b9f
AsyncRAT
a412a3bdf6e8891fa60734b53430db5d0ac8dce28a764fd013dd767614790c45
AsyncRAT
ce0530832a781bd0ca193f10973c554c051cbebd189339c2ff31b60638914a89
AsyncRAT
d82330b1d9bfbebbff4d21e9ddd0f86e90ed27031ba29557587d182246301ee5
AsyncRAT
dcaf6810871062a1a5a292c8e46667a8b7de908d292513ef1c443929ce8897c5
AsyncRAT
dcd32e037c7e83fb4114d1d9517830e21ad5738ad4e4ee8b685b49f805d1e8f7
AsyncRAT
ea78060a7dd7e2df3a47591cc7503c7dd637c3169ec4c78250a43f3bd3d4a290
AsyncRAT
+ 6'240 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/210701-8kszwbw9ra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
leechong444.ddnsgeek.com:46422
leechong444.ddnsgeek.com:6578
Unpacked files
SH256 hash:
a67db0446828a5ba7e083ca1933424b501ed3420aa646d464483311014768f79
MD5 hash:
c4b69b7086f2f7d0abb52330ec012c2d
SHA1 hash:
a03d47cff1d018ec68a9d47b04d448d67afad139
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/5746627d-17e8-4533-8cd8-de0f5b3c6f4b/
SH256 hash:
6476d20efbafc2f125919f44a3e70e27e70812f68963c7c3e31f1ce7afe414d0
MD5 hash:
df6922e11bb3bcef662789ad970ad6a1
SHA1 hash:
84d2aef996d056042afba2b9b850a5d0b1eaf70a
Link:
https://www.unpac.me/results/5746627d-17e8-4533-8cd8-de0f5b3c6f4b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6476d20efbafc2f125919f44a3e70e27e70812f68963c7c3e31f1ce7afe414d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe 6476d20efbafc2f125919f44a3e70e27e70812f68963c7c3e31f1ce7afe414d0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/169156/

Comments