MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64ed6346638c08c2a79a5b450ebabbcc0627dc22a13f4da9483174e71b8b819e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64ed6346638c08c2a79a5b450ebabbcc0627dc22a13f4da9483174e71b8b819e
SHA3-384 hash: 03f9867a91af529cb66c634349352ae06b949e303ce533bea95217664d76b2c9611c8559e3526144fa7a402b7717cb36
SHA1 hash: 8874ab04ff1220f2298a50bffc985476d8c257ea
MD5 hash: efae83e2bdfc62bbaf09f1caf1d4c471
humanhash: michigan-timing-orange-ink
File name:19112020778IMG78487784.xz
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:186'058 bytes
First seen:2020-11-19 08:20:30 UTC
Last seen:Never
File type: xz
MIME type:application/x-rar
ssdeep 3072:ZcKRX4SXfl9+aN7xP5MVp5vNDd6bfCLIItgOrBP/aT3DfxG5NFUSd:6Kd4sv3C58bfavtgOBXazsLFFd
TLSH 9204232103EEA48F2794A4304635DB68B6276794B0A4B3237EF51C21D7EE37A479D13E
Reporter abuse_ch
Tags:AsyncRAT nVpn Outlook RAT xz


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: EUR06-AM7-obe.outbound.protection.outlook.com
Sending IP: 40.92.16.86
From: EDEN LABO <edenlabo@hotmail.com>
Subject: TR: 回复: PROFORMA INVOICE 200102-003: REV QUOTATION 191231-003 RE: 回复: 回复: TOP TOP URGENT
Attachment: 19112020778IMG78487784.xz (contains "19112020778IMG78487784.exe")

AsyncRAT C2:
194.5.97.249:9951

Hosted on nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.97.0 - 194.5.97.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-UK5
country: GB
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
mnt-by: PRIVACYFIRST-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-26T17:48:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64ed6346638c08c2a79a5b450ebabbcc0627dc22a13f4da9483174e71b8b819e/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 08:21:04 UTC
AV detection:
6 of 48 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtwwgrtdrqemfj42lncq5ov3zqdcpxbcue7u3kkigf2oog4lqgpa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

xz 64ed6346638c08c2a79a5b450ebabbcc0627dc22a13f4da9483174e71b8b819e

(this sample)

AsyncRAT

Executable exe 4fe55684ef64ad80c3994eb961d1008585121b9708546ad0a1fd87141619555d

  
Dropping
MD5 9646cb8f86411e94d022d1472c527c11
  
Dropping
AsyncRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4fe55684ef64ad80c3994eb961d1008585121b9708546ad0a1fd87141619555d

Comments