MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5
SHA3-384 hash: e65be5d75a7804ed0093b62b06cb6184bc465e08b60e59cd7c47273151e8e03f90956ca0da36acf3a5802d3425204102
SHA1 hash: 95e3899672ba3f7352806a6b663959c888911069
MD5 hash: 8ad6032daa80a5adaa61010895ed78ce
humanhash: table-gee-march-lima
File name:8ad6032daa80a5adaa61010895ed78ce.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:441'856 bytes
First seen:2021-07-26 22:15:40 UTC
Last seen:2021-07-26 22:43:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:SU4RfKHLuiRKM4t7V/H+Ygu/SSFb8Enb8E:smIrh
Threatray 46 similar samples on MalwareBazaar
TLSH T1639438343DEA502AB273EF698BE4759ADA6FB7633B07585D10A103860723E81DEC153D
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
185.163.45.142:1786

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.163.45.142:1786 https://threatfox.abuse.ch/ioc/163057/

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8ad6032daa80a5adaa61010895ed78ce.exe
Verdict:
No threats detected
Analysis date:
2021-07-26 22:17:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d1628c25-4670-4f68-8e82-b5da9cf8ceaa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174209/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.5388.23354.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a755794d-17a2-4f34-8faf-18059c38c19d
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822029
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Enables a proxy for the internet explorer
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sets a proxy for the internet explorer
Sigma detected: Suspicious Csc.exe Source File Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 454441 Sample: McCG9pm2Um.exe Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 40 windowsupdatecdn.cn 2->40 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 8 other signatures 2->60 9 McCG9pm2Um.exe 1 2->9         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\McCG9pm2Um.exe.log, ASCII 9->36 dropped 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Modifies the context of a thread in another process (thread injection) 9->66 68 Injects a PE file into a foreign processes 9->68 13 MSBuild.exe 17 46 9->13         started        signatures6 process7 dnsIp8 48 niceone20.cn 185.163.45.142, 1786, 49743, 49746 MIVOCLOUDMD Moldova Republic of 13->48 50 checkip.dyndns.org 13->50 52 4 other IPs or domains 13->52 38 C:\Users\user\AppData\...\gwe0esvq.cmdline, UTF-8 13->38 dropped 70 Installs new ROOT certificates 13->70 72 May check the online IP address of the machine 13->72 74 Encrypted powershell cmdline option found 13->74 76 5 other signatures 13->76 18 powershell.exe 14 33 13->18         started        21 csc.exe 3 13->21         started        24 netsh.exe 3 13->24         started        file9 signatures10 process11 dnsIp12 42 consent.google.com 142.250.181.238 GOOGLEUS United States 18->42 44 www.google.com 142.250.185.196 GOOGLEUS United States 18->44 46 2 other IPs or domains 18->46 26 conhost.exe 18->26         started        34 C:\Users\user\AppData\Local\...\gwe0esvq.dll, PE32 21->34 dropped 28 conhost.exe 21->28         started        30 cvtres.exe 1 21->30         started        32 conhost.exe 24->32         started        file13 process14
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-07-25 23:50:39 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2lbaw24bcwzuxc77tk2hf3bfveqribuvvh2uhupdx4tkkwudtcq._file
Verdict:
unknown
Similar samples:
321e5fc93bbd3af8c3f18b95ce67e2378ce3c798a301e38161b4c5140181ef93
AsyncRAT
39734faf0a577140648e7a9c46220d612bd334a14c547e33a08af07e102fce30
AsyncRAT
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
AsyncRAT
720aa2910e6e575ee4b6429e3290dd27a116f407f567614ce242c63c9d83cd8b
AsyncRAT
7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191
AsyncRAT
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
AsyncRAT
b4c4e3a573f0d2a25de1b2a862f0acab1dcba383e244bb808be0709874a47dd8
AsyncRAT
ba3c244413f003bbd093b5e3e082bb9b0914d5bd9e03526b0e4b4faf4eacc411
AsyncRAT
ccc7d187ff725af5867b1358f3324be6155de93ce81079564d1fa22bac501702
AsyncRAT
f7707fe4c69384493ced8f0defb76e6a9f4921e1ac14ae957329cbf92f1f00b2
AsyncRAT
+ 36 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat evasion rat suricata
Link:
https://tria.ge/reports/210726-la9422x7xs/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Blocklisted process makes network request
Modifies Windows Firewall
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Unpacked files
SH256 hash:
6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5
MD5 hash:
8ad6032daa80a5adaa61010895ed78ce
SHA1 hash:
95e3899672ba3f7352806a6b663959c888911069
Link:
https://www.unpac.me/results/41d32b5c-ded6-4423-8cc5-92eaf5f3a896/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:Reflective_DLL_Loader_Aug17_1
Create hunting rule
Author:Florian Roth
Description:Detects Reflective DLL Loader
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174209/

Comments