MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f757db2feb9c5e3817c192c661d7cc2d23ab24a9ae8608aedc3561a3b32012c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f757db2feb9c5e3817c192c661d7cc2d23ab24a9ae8608aedc3561a3b32012c
SHA3-384 hash: d4229b1f13ec42ecdd1777bec3525cf27f7b4a04e33eb576a7511af1947b5c91b53a834fcf06b7e00ed75849204e92fa
SHA1 hash: a1c7db7b11007e5df702af0073c0a3f969441cb4
MD5 hash: 41cf97be9aced54391e78228d5c1a63d
humanhash: purple-august-mexico-fish
File name:Invoice Copy.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'899'824 bytes
First seen:2020-07-28 16:53:35 UTC
Last seen:2020-07-28 17:41:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:ylAObjaiy6zqrgHIh8/Xgnz6FyMRHQYVsCl7u9CBPq2f5aE2s7++3v+:yvCXrXh8/XgwR3VRzBNv+
TLSH 7395D265B880719FB59A45B04ED795E892DE3D25063027389EA3387DC93E1877CCF8B2
Reporter cocaman
Tags:AsyncRAT exe

Code Signing Certificate

Organisation:Avast Software s.r.o.
Issuer:Avast Software s.r.o.
Algorithm:sha256WithRSAEncryption
Valid from:Jul 28 14:39:48 2020 GMT
Valid to:Jul 28 14:39:48 2021 GMT
Serial number: 4F42C4D58B57E6A0952191BE2E10492E
Thumbprint Algorithm:SHA256
Thumbprint: A2806EDCE9EB34301C72224C564CF8571C33C6C8E713278E289F5231AD5378D1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33906/
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilF.34138.Zn1@amg2vJdi.17498.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/400752
Signature
Binary contains a suspicious time stamp
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252676 Sample: Invoice Copy.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 60 39 Initial sample is a PE file and has a suspicious name 2->39 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->41 43 Uses schtasks.exe or at.exe to add and modify task schedules 2->43 45 Binary contains a suspicious time stamp 2->45 9 Invoice Copy.exe 1 2->9         started        12 Intel.exe 1 2->12         started        14 wuapihost.exe 2->14         started        process3 signatures4 47 Injects a PE file into a foreign processes 9->47 16 Invoice Copy.exe 6 9->16         started        19 Intel.exe 12->19         started        process5 file6 37 C:\Users\user\AppData\Roaming\Intel.exe, PE32 16->37 dropped 21 cmd.exe 1 16->21         started        23 cmd.exe 1 16->23         started        process7 process8 25 Intel.exe 21->25         started        27 conhost.exe 21->27         started        29 timeout.exe 1 21->29         started        31 conhost.exe 23->31         started        33 schtasks.exe 1 23->33         started        process9 35 Intel.exe 25->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f757db2feb9c5e3817c192c661d7cc2d23ab24a9ae8608aedc3561a3b32012c/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 16:55:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat family:asyncrat
Link:
https://tria.ge/reports/200728-fntzyqch5a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6f757db2feb9c5e3817c192c661d7cc2d23ab24a9ae8608aedc3561a3b32012c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

img 72c545ba1a378c843bbe080c22dc35d7c630b769517951c675c504272c4d05bf

AsyncRAT

Executable exe 6f757db2feb9c5e3817c192c661d7cc2d23ab24a9ae8608aedc3561a3b32012c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 72c545ba1a378c843bbe080c22dc35d7c630b769517951c675c504272c4d05bf
  
URLhaus
https://urlhaus.abuse.ch/url/420789/
Cape
Cape
https://www.capesandbox.com/analysis/33906/

Comments