MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fa08611480dab2f2adf82fa81e9b40bedb5a8d82903029da4029250ff8bbf65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	6fa08611480dab2f2adf82fa81e9b40bedb5a8d82903029da4029250ff8bbf65
SHA3-384 hash:	db88a65e794998e1765d5c0a9fa4f74ac5839429152bb847b509619cf7be92e9938a91f7076650419f264474796a3518
SHA1 hash:	fcdee5d1ef21ddc714023a48d9b53feae7c3419a
MD5 hash:	c46f6eeb380f5d619319b7de96bf49dc
humanhash:	network-harry-nitrogen-skylark
File name:	6fa08611480dab2f2adf82fa81e9b40bedb5a8d82903029da4029250ff8bbf65
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	768'000 bytes
First seen:	2020-11-14 17:59:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0544bc0216cd83fdd455f0d0919afe2b (5 x AgentTesla, 3 x AsyncRAT, 2 x HawkEye)
ssdeep	12288:GJJ2i5H2AiOhurW/FJk808+KYsSkcda4wGeL44Hwso2w6aX6gO1Mio:GJJnHTiOgC48fdY4pGeBHiPXtT
Threatray	2'444 similar samples on MalwareBazaar
TLSH	6DF47E23F1A0C837D563297CCC0B57A46AE5BE113929B58A7BF52D0C9F3F69078152A3
Reporter	seifreed
Tags:	AsyncRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

DNS request

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/536104

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected AntiVM_3

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6fa08611480dab2f2adf82fa81e9b40bedb5a8d82903029da4029250ff8bbf65/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-11-14 18:01:21 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6qimekibwvs6kw7ql5id2nubpw3lkgyfebqfhneakjfb74lx5sq._file

Verdict:

malicious

Label(s):

asyncrat

AsyncRAT

2cd90fecf4222117ecf6478b1ead6bfa0d059303949f0cd91654b9b92d78ec09

AsyncRAT

4075e5cedf262f587538979cd6d62ff4b0fc5bdf7f9a4b770ae9e297ea7c9fcc

AsyncRAT

4457d49095a509a84ce5c9796b7470c03a95638e1f628882cb8f6331b0153efb

AsyncRAT

46bf7a6257a12bb2e56d9770eebc93606d9cf3f1f3af49ba987ebfef0ddb6216

AsyncRAT

812a2ed477ffdac4f86746d587fd8a34ac9c1f6b65c15a38ac08079c32ecfdce

AsyncRAT

ac8fcffe7966af957a58b52c744c026eff7acc393ffbc57d0fe9e8c2d901f68e

AsyncRAT

e3a18338921238575f176f679030eac3352c24066d8da0602b3c8b4e75bb1bad

AsyncRAT

e45aa38e4f734a6b5e9d8e55d3b71b16e4ae389eb7c857bbdaa98fb47e1d9ef3

AsyncRAT

e678a72b6f30f69daafd945543d4bb3e58152c37f8a7b883ce96b9ddf1c1c482

AsyncRAT

+ 2'434 additional samples on MalwareBazaar

Gathering data

Unpacked files

SH256 hash:

6fa08611480dab2f2adf82fa81e9b40bedb5a8d82903029da4029250ff8bbf65

MD5 hash:

c46f6eeb380f5d619319b7de96bf49dc

SHA1 hash:

fcdee5d1ef21ddc714023a48d9b53feae7c3419a

Link:

https://www.unpac.me/results/3cb777ed-4d8e-47fb-9673-17a122321c3c/

SH256 hash:

cadd1e0dad7442347a08dd01dff26bc3950a257c30284214a3dcaebcb6f71ead

MD5 hash:

c5f54ee7ef5a37d68653877316957b31

SHA1 hash:

433e16ccf7d71308726e1730e49adfd9cef855e8

Detections:

win_asyncrat_w0

Link:

https://www.unpac.me/results/3cb777ed-4d8e-47fb-9673-17a122321c3c/

Parent samples :

812a2ed477ffdac4f86746d587fd8a34ac9c1f6b65c15a38ac08079c32ecfdce
cf364a11ce33f41f54a6a8466aff01c80c7900fa56eaf5dfa6489416d8c59149
156d0c5e68f17fb5294cd708f1660337165a307c8c7064ab86971efb39738bc8
176a363ccb3166d15e413874770dfff7b8df71fb9d39102c87030edd463ae1e2
29acf849f61e3ce83524dc5f277adc62d6c7027000a986f4f8d128063142d386
6fa08611480dab2f2adf82fa81e9b40bedb5a8d82903029da4029250ff8bbf65
88af21c3af8ef0793eedb99d527a967baf487e7b239cc3f5231f951b743b51fe
91cb0ce1e1aea0e205d4ec211d136e3dc461cfa9c871fd28c66753cbe10a7666

SH256 hash:

980c5afaa74db34cf151fc179fcbb64ade44cd2881446a0405463de878791ebb

MD5 hash:

37e0f25ee4fca0c0211969b55eecbdbe

SHA1 hash:

3a416527625bdbd5a1701a3e28da5bd9d3c2dbbf

Detections:

win_asyncrat_w0

Link:

https://www.unpac.me/results/3cb777ed-4d8e-47fb-9673-17a122321c3c/

Parent samples :

812a2ed477ffdac4f86746d587fd8a34ac9c1f6b65c15a38ac08079c32ecfdce
6fa08611480dab2f2adf82fa81e9b40bedb5a8d82903029da4029250ff8bbf65

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Barys

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6fa08611480dab2f2adf82fa81e9b40bedb5a8d82903029da4029250ff8bbf65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

Rule name:	win_asyncrat_w0 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample