MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 670b9dc5f9ab7bf8ac18a526a492092b872782c514b5e772375c0c6392e926fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	670b9dc5f9ab7bf8ac18a526a492092b872782c514b5e772375c0c6392e926fa
SHA3-384 hash:	f491da3c7ce31e06cb5d75f6928ece7b3cfd3a15581eaa24d43cafbb33fec8d1e2c0fdc138f336b4c285c6075bf3364c
SHA1 hash:	a446ceb5a8c6edbcbd4c74db9c5904edae97fe83
MD5 hash:	92beedf1d538defebb16667c035d7ad2
humanhash:	uncle-cat-stairway-oklahoma
File name:	#RFQ ORDER484425083-NJQ.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	77'312 bytes
First seen:	2021-12-21 10:17:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:66Fm4G9cPppv3s54ldQxM/TsLi+vQrpazPcXofYsxzR17TtJeqZU:66FH68d4kX6YsxzRB5JeqZU
Threatray	97 similar samples on MalwareBazaar
TLSH	T1F273DF66D7CA06B6FAB447B035470AB372BC1F27B12B70BF54987DCE7581248094BB61
File icon (PE):
dhash icon	62e68c18148ca0e0 (10 x CoinMiner, 7 x AgentTesla, 4 x SnakeKeylogger)
Reporter	GovCERT_CH
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

#RFQ ORDER484425083-NJQ.exe

Verdict:

Suspicious activity

Analysis date:

2021-12-21 10:21:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f41c378c-7aca-4b32-bed0-083c72c29e54

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

zgRAT

Link:

https://www.capesandbox.com/analysis/215624/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Сreating synchronization primitives

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a window

Creating a file

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61c1a9df8991ba72b3900367/reports/f05d53a5-b73f-4851-a219-9bf20a493f02/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fa3a9390-d584-404d-a126-ff07fd56f7c9

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/910871

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/670b9dc5f9ab7bf8ac18a526a492092b872782c514b5e772375c0c6392e926fa/

Threat name:

ByteCode-MSIL.Trojan.AsyncRAT

Status:

Malicious

First seen:

2021-12-21 09:31:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 43 (60.47%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m4fz3rpzvn57rlayuutkjeqjfodspawfcs26o4rxlqgghexje35a._file

Verdict:

malicious

Label(s):

asyncrat

AsyncRAT

5d3d32ee309bc3687631ad92beab3b5d3490318b969d4e9ba72d6b1c985ffe87

AsyncRAT

63e4d45c7fce9de0b78e2bc09df98ffe29ac6ca9e36f247977fa37415b8da13a

AsyncRAT

7f6e85893aad47392dd06e9bbf28a8ee85293bcbec12403bae09d1e1f3e727ab

AsyncRAT

b4433e10d6b0efd343e586a877e4b9823efe364c2e193a3943c7a7352837ebed

AsyncRAT

daff09e7c2422769ee94d911316aa55b00438031df7fb1faee7ad0856f3f6f53

AsyncRAT

+ 87 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat rat suricata

Link:

https://tria.ge/reports/211221-mbyqgsdggn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

AsyncRat

suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Unpacked files

SH256 hash:

670b9dc5f9ab7bf8ac18a526a492092b872782c514b5e772375c0c6392e926fa

MD5 hash:

92beedf1d538defebb16667c035d7ad2

SHA1 hash:

a446ceb5a8c6edbcbd4c74db9c5904edae97fe83

Link:

https://www.unpac.me/results/61f59725-c493-4188-8531-9f950b54383d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/670b9dc5f9ab7bf8ac18a526a492092b872782c514b5e772375c0c6392e926fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

exe 670b9dc5f9ab7bf8ac18a526a492092b872782c514b5e772375c0c6392e926fa

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/215624/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample