MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cfc4645669e0a0da0bec32b6099b13a0f907a8d54e7382dbaa0e27ed23f3ae6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cfc4645669e0a0da0bec32b6099b13a0f907a8d54e7382dbaa0e27ed23f3ae6
SHA3-384 hash: 17312f02c1bdff2d8f4cca61d318da52a39cf997a3297618839f4354a963740acfe0846fb64e4e369728a786612140b5
SHA1 hash: 0e48019d621308ad049fb87b87deddf776e82846
MD5 hash: 95fae5e8246bec2a2c04a331da6950b5
humanhash: juliet-mars-solar-quiet
File name:http___pbfoa.org_d.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:194'560 bytes
First seen:2021-06-05 20:50:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:QFjtVBWeDZME3Cy7QdseK1xKIzFFELOjDkvg1ljvExWGUMvXHHfgJR80:QZtvbDZV7S2K0FFEGfT7U3Hfg
Threatray 121 similar samples on MalwareBazaar
TLSH 1114122AAFE88F25DAF909FBBEB3D60407F0F9104A13C79F080681565D277D68A52F54
Reporter Racco42
Tags:AsyncRAT exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
410
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http___pbfoa.org_d.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-05 20:53:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/37021927-116b-4e8d-becc-78ed3f7d35a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164699/
Detection(s):
SecuriteInfo.com.PWS-FCYU95FAE5E8246B.16811.28806.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/797631
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6cfc4645669e0a0da0bec32b6099b13a0f907a8d54e7382dbaa0e27ed23f3ae6/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-05 20:51:08 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nt6emrlgtyfa3if6ymvwbgnrhihza6unktttqln2udrh5ur7hlta._file
Verdict:
unknown
Similar samples:
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
AsyncRAT
517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c
AsyncRAT
5e1526ff008fb0bac26c27ae1260d723d3200351f84f9a7b9a3c5b50a05bc5fa
AsyncRAT
78396f7f4448c533637a2ceddd8cf6e94681b7f0c2c7b446c3db3704bda8b928
AsyncRAT
8361cd02491b2a0651e89129aaaa8956409596683821eed908d47987902e0716
AsyncRAT
8ea1d5e023c174a65c047ecf0f633ef66ba5adfd58ff0cc09ad084fd31f84278
AsyncRAT
9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0
AsyncRAT
a58d9469e992503f643880102b279956e2672580e212a54ce896b1784f59526b
AsyncRAT
c55730133205122e022bb1681c30d9843889e63bd4f16497f6bbe08f2758e2ba
AsyncRAT
d431d6c234dfb75c3fad9cfe53c800e68eec1df826aeee43cc02d802a234e0c2
AsyncRAT
+ 111 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210605-ernkxz7fz6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AsyncRat
Unpacked files
SH256 hash:
b92e0491af10123ee57fca6d167699fac58924a7ef065b680478f3dcc2af3947
MD5 hash:
141297e0d7b0a9d33b0eb4376cbcccc5
SHA1 hash:
bf8a77858d9da08ea7e8b76d1e7ae7ff4bb578ba
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/fd18f42d-81c4-4064-9a45-5346b6d6d37c/
SH256 hash:
61ae1eeb5332a76e1951ede6dce0d18f699d0a4d3efdf5604e4823699076944e
MD5 hash:
60dd9479798845286f3f22d3790abc43
SHA1 hash:
3d4dfcce73b30ad9944d7fb9f9b83b68765bbb53
Link:
https://www.unpac.me/results/fd18f42d-81c4-4064-9a45-5346b6d6d37c/
SH256 hash:
80b8f4cdb0c65d2e85720d05f66b30dfdca905b1ac6848642e00c5dcee38c920
MD5 hash:
55cca7b6f26b3cf9ad0940162d2429d1
SHA1 hash:
2fcf986f1b3c616ca72fb9535ea4d8b8a3100846
Link:
https://www.unpac.me/results/fd18f42d-81c4-4064-9a45-5346b6d6d37c/
SH256 hash:
6cfc4645669e0a0da0bec32b6099b13a0f907a8d54e7382dbaa0e27ed23f3ae6
MD5 hash:
95fae5e8246bec2a2c04a331da6950b5
SHA1 hash:
0e48019d621308ad049fb87b87deddf776e82846
Link:
https://www.unpac.me/results/fd18f42d-81c4-4064-9a45-5346b6d6d37c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cfc4645669e0a0da0bec32b6099b13a0f907a8d54e7382dbaa0e27ed23f3ae6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/164699/
  
URLhaus
https://urlhaus.abuse.ch/url/1331262/

Comments