MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bd0f63d69ebaa8e28b21e9b0f5c02e05c1213535b2881d080db1d09082e9f1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	6bd0f63d69ebaa8e28b21e9b0f5c02e05c1213535b2881d080db1d09082e9f1d
SHA3-384 hash:	a7918c93f5d005fccab374d4c4cbc2e8439cce6cd8758c3301905e526012950acefb3d7db0f8b0ce6c6dd26d8b226eb1
SHA1 hash:	07bb74780172f5dd719e7c392817a0aaad27f173
MD5 hash:	fb5f1a2f214dc8774c41d7a67965a733
humanhash:	summer-pennsylvania-connecticut-venus
File name:	6BD0F63D69EBAA8E28B21E9B0F5C02E05C1213535B288.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	207'872 bytes
First seen:	2021-05-04 12:15:38 UTC
Last seen:	2021-05-04 12:57:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:xzNVgfanHv+ohSVgtjOM4lljJCu5tRBpLu9DLhlN2:xzzUanPHhSeAM4r9DJBu9LvN
Threatray	36 similar samples on MalwareBazaar
TLSH	4D1412A5238E8527F7A6A6B55F36E790835096110603C73FBC8D84443F3FE9E55223EA
Reporter	abuse_ch
Tags:	AsyncRAT exe RAT

abuse_ch

AsyncRAT C2:
142.4.200.50:7707

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
142.4.200.50:7707	https://threatfox.abuse.ch/ioc/6622/

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.45971498.15145.3506.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/709992

Signature

Creates an undocumented autostart registry key

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

asyncrat

Link:

https://mwdb.cert.pl/sample/6bd0f63d69ebaa8e28b21e9b0f5c02e05c1213535b2881d080db1d09082e9f1d/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2021-03-26 02:43:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=npipmplj5ovi4kfsd2nq6xac4bobee2tlmuiduea3moqscbot4oq._file

Verdict:

suspicious

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat persistence rat

Link:

https://tria.ge/reports/210504-h9saadlekn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

AsyncRat

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

1a3ccc47d8dddfaa01b543ad6787f1ad1a28b138bed6c0e2d22375c25f74a838

MD5 hash:

f9004542c789bace7c394d50ace4d6a2

SHA1 hash:

f61a2f0f81546b8981b8870ea5dd6461de4213bb

Link:

https://www.unpac.me/results/040e281a-c28c-45bf-819f-0970bf1667db/

SH256 hash:

6ee49e6aec6b10623f745e9e09dc0b01b9f8ecb46fb457be49d233514c941a8e

MD5 hash:

2d417bfba444a9a7c610e4d843428640

SHA1 hash:

e4f7fed571470367f1b1149e396b58184abdc2ec

Detections:

win_asyncrat_w0

Link:

https://www.unpac.me/results/040e281a-c28c-45bf-819f-0970bf1667db/

SH256 hash:

6bd0f63d69ebaa8e28b21e9b0f5c02e05c1213535b2881d080db1d09082e9f1d

MD5 hash:

fb5f1a2f214dc8774c41d7a67965a733

SHA1 hash:

07bb74780172f5dd719e7c392817a0aaad27f173

Link:

https://www.unpac.me/results/040e281a-c28c-45bf-819f-0970bf1667db/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/6bd0f63d69ebaa8e28b21e9b0f5c02e05c1213535b2881d080db1d09082e9f1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample