MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7623519a30d274a1587ff9822c506535dcb72fd773a4a960cc5fe9c4b7a9a0f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	7623519a30d274a1587ff9822c506535dcb72fd773a4a960cc5fe9c4b7a9a0f4
SHA3-384 hash:	31bf586ee331aaf1fd9a35d5b834181fb320cc4716783022434707cc019c332c4a0ae51e15125f44301a9bc59d1259c5
SHA1 hash:	1ba20fd3940998c87f84337e064f568f91c1a56d
MD5 hash:	565c7b4e8a996fe387749cbe385c8987
humanhash:	oven-kentucky-mississippi-white
File name:	PROOF OF PAYMENT.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	681'472 bytes
First seen:	2020-08-04 12:58:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:vS7HcPgYxmOE+2Do4pPeRH89ffaAh14C1G48RDVj:dIYxPeVZl5aQ13G4GV
Threatray	298 similar samples on MalwareBazaar
TLSH	56E48DC2F5409D51D82A4E3B8C3359914B33AC6BEF02C607349CB6596BF72966A35F83
Reporter	abuse_ch
Tags:	AsyncRAT exe nVpn RAT

abuse_ch

Malspam distributing AsyncRAT:

HELO: smtp2.orange.ci
Sending IP: 196.201.64.69
From: Ingrid Fred <lamtogeo@aviso.ci>
Reply-To: Ingrid Fred <shawnggd@gmail.com>
Subject: Proof Of Payment
Attachment: PROOF OF PAYMENT 1.UUE (contains "PROOF OF PAYMENT.exe")

AsyncRAT C2:
ansrt.duckdns.org:2190 (79.134.225.73)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38670/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt to an infection source

Enabling autorun by creating a file

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/409402

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7623519a30d274a1587ff9822c506535dcb72fd773a4a960cc5fe9c4b7a9a0f4/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-04 13:00:07 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oyrvdgrq2j2kcwd77gbcyudfgxolol6xoosksygml7u4jn5jud2a._file

Verdict:

malicious

Result

Malware family:

asyncrat

Score:

10/10

Tags:

rat family:asyncrat

Link:

https://tria.ge/reports/200804-mekkt939sj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

AsyncRat

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7623519a30d274a1587ff9822c506535dcb72fd773a4a960cc5fe9c4b7a9a0f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b1f39918f8d075952f7c9a498e57ed2b

AsyncRAT

exe 7623519a30d274a1587ff9822c506535dcb72fd773a4a960cc5fe9c4b7a9a0f4

(this sample)

Dropped by

MD5 b1f39918f8d075952f7c9a498e57ed2b

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/38670/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample