MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a8e8a128fdcb667d738763ed93b347cd14642059245283acdac17dcdc2c1ccf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a8e8a128fdcb667d738763ed93b347cd14642059245283acdac17dcdc2c1ccf
SHA3-384 hash: d378248b1b1ba857270a97ca3d1eb0808a9bd9a95ae12104f0d345b9556b6905a3e6bde63ac6c82199c6d7f56484c908
SHA1 hash: f4e8407dc6fcb26ccfb4b8d4862ece8548bfe4c2
MD5 hash: 12c362532de942750b035854d1795308
humanhash: zebra-august-beryllium-michigan
File name:12c362532de942750b035854d1795308
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:489'896 bytes
First seen:2021-09-22 15:53:41 UTC
Last seen:2021-09-22 16:52:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cb0f17215753e2513f6e30650a54f30c (1 x QuasarRAT, 1 x AsyncRAT)
ssdeep 6144:COi2lYEkmDy4S2fhBNw7xccvTQ2fRXzC8+klVKiEgT8jc5J8:Cw6EkmechBNw7J/46pETAw
Threatray 1'279 similar samples on MalwareBazaar
TLSH T1EBA45F2C45585A9AFBA1C4FCB231ADFF17D8297F80B7B8B3D10DE68317687E15406226
File icon (PE):PE icon
dhash icon f0d4b2d1d8b0d0f0 (20 x BitRAT, 11 x AsyncRAT, 4 x QuasarRAT)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12c362532de942750b035854d1795308
Verdict:
Malicious activity
Analysis date:
2021-09-22 15:56:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb34dad2-9e0e-4fcd-9d7c-93fcf1c4434a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
asyncrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190340/
Detection(s):
SecuriteInfo.com.Variant.Strictor.263595.9636.22835.UNOFFICIAL
Create hunting rule

Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c11258d-6db6-4724-a086-57b5f5c14f54
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855756
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488187 Sample: cbOEEcmllV Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected AsyncRAT 2->31 33 3 other signatures 2->33 6 gb.exe 2->6         started        9 cbOEEcmllV.exe 1 2 2->9         started        12 gb.exe 2->12         started        process3 file4 35 Multi AV Scanner detection for dropped file 6->35 37 Machine Learning detection for dropped file 6->37 39 Writes to foreign memory regions 6->39 43 2 other signatures 6->43 14 AppLaunch.exe 3 6->14         started        23 C:\Users\user\AppData\Roaming\ga\gb.exe, PE32 9->23 dropped 41 Sample uses process hollowing technique 9->41 16 AppLaunch.exe 2 9->16         started        19 AppLaunch.exe 2 12->19         started        21 AppLaunch.exe 12->21         started        signatures5 process6 dnsIp7 25 185.157.160.147, 1973, 49767, 49768 OBE-EUROPEObenetworkEuropeSE Sweden 16->25
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6a8e8a128fdcb667d738763ed93b347cd14642059245283acdac17dcdc2c1ccf/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 15:29:49 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkhiueup3s3gpvzyoy7nsozuptiumqqfsjcsqownvql5zxbmdthq._file
Verdict:
malicious
Similar samples:
148588102731dd9742cd698c882b48c4b49cbfdd868647a83a15a0cbb1f0c8ca
AsyncRAT
4faf0330a092329562d8d79c71cb143e22af30b106a24d1ce37721f2af9d6598
AsyncRAT
5c0b34aff5e71ceed5b16e73b68435a85244a9631d7049ac0bb2898fdcbf6b04
AsyncRAT
5cc027a4132a6238c1c280b1000aef347ba72337e743b086a0bc69d7b5b76e3c
AsyncRAT
6876aa707adeeffbe08d86d26c6cf48b8d77d46c96f8ace28a523b0a846db38f
AsyncRAT
7b1f41c2637cb64002e085187d4c5fdecea9153e28207ebab8984473771919f9
AsyncRAT
99b13841abbf0c2bf736ab08e0e7f48cd28cab2e69eff60399de65e0eced2e68
AsyncRAT
a4d801e88635f298ec71796cafeaf6880547b35be5b8ee18aea59ed85e63ece6
AsyncRAT
d64217395d8a43cd86ae4f154bcfcb62755241a26e4bfbdd06f049fbbfa38fca
AsyncRAT
e88388bec3164944678627db062b753e76b6f7f710a9fabc43dfe69e7df2f366
AsyncRAT
+ 1'269 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:17 persistence rat
Link:
https://tria.ge/reports/210922-tb73gsdbd8/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
185.157.160.147:1973
Unpacked files
SH256 hash:
030ecdda831f4c551c627a09c41b9c6ff9d094e594fd2bbf95d78b85afc465a1
MD5 hash:
0b184a620e6c6941ab56ffa6bdede24b
SHA1 hash:
e134c4820fdcd0ac8055280b618528846df99728
Link:
https://www.unpac.me/results/f108a449-582c-447e-b550-fe759869e0b8/
SH256 hash:
6a8e8a128fdcb667d738763ed93b347cd14642059245283acdac17dcdc2c1ccf
MD5 hash:
12c362532de942750b035854d1795308
SHA1 hash:
f4e8407dc6fcb26ccfb4b8d4862ece8548bfe4c2
Link:
https://www.unpac.me/results/f108a449-582c-447e-b550-fe759869e0b8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a8e8a128fdcb667d738763ed93b347cd14642059245283acdac17dcdc2c1ccf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 6a8e8a128fdcb667d738763ed93b347cd14642059245283acdac17dcdc2c1ccf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1639588/
Cape
Cape
https://www.capesandbox.com/analysis/190340/

Comments


Avatar
zbet commented on 2021-09-22 15:53:42 UTC

url : hxxp://185.157.160.147:4444/btconsole2.exe