MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78396f7f4448c533637a2ceddd8cf6e94681b7f0c2c7b446c3db3704bda8b928. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78396f7f4448c533637a2ceddd8cf6e94681b7f0c2c7b446c3db3704bda8b928
SHA3-384 hash: 83e1436de7efa4d6e8555368f1a90470aa6ee9aff80300d705d7a98f9355e1d4a19ea8cca8b39da7c68e4871e3306892
SHA1 hash: 43616891bec51fe176294c033acbe0f39a899b72
MD5 hash: a6598e63d06b76cd0851e1173ad7a904
humanhash: papa-music-lemon-pip
File name:a6598e63d06b76cd0851e1173ad7a904.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:716'800 bytes
First seen:2021-05-13 17:30:33 UTC
Last seen:2021-05-14 03:02:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:fJ2c04Jy4wYIm559xL6Rmifa9AwW42KPiJnvGCS550Nteq3cwE+B:fJD04Jy4wYP59FB2uCS3y3cwEA
Threatray 24 similar samples on MalwareBazaar
TLSH 58E48D902BFC8B3AC98D43F9F095671167F5C41E939FFB9BB94168A52C833A159102E3
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
193.142.146.202:47945

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.142.146.202:47945 https://threatfox.abuse.ch/ioc/40456/

Intelligence

File Origin
# of uploads :
3
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6598e63d06b76cd0851e1173ad7a904.exe
Verdict:
No threats detected
Analysis date:
2021-05-13 17:32:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c7b4e8c9-7868-414f-92ae-4b41f2826c0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/156277/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46268689.27675.27630.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/781263
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Uses nslookup.exe to query domains
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 413659 Sample: Yix5jaGYaL.exe Startdate: 13/05/2021 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 8 other signatures 2->78 8 Yix5jaGYaL.exe 4 9 2->8         started        12 nslookup.exe 2->12         started        14 nslookup.exe 2->14         started        process3 file4 58 C:\Users\user\AppData\...\nslookup.exe, PE32 8->58 dropped 60 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 8->60 dropped 62 C:\Users\...\nslookup.exe:Zone.Identifier, ASCII 8->62 dropped 64 2 other malicious files 8->64 dropped 84 Writes to foreign memory regions 8->84 86 Allocates memory in foreign processes 8->86 88 Injects a PE file into a foreign processes 8->88 16 RegAsm.exe 16 6 8->16         started        20 wscript.exe 1 8->20         started        90 Antivirus detection for dropped file 12->90 92 Multi AV Scanner detection for dropped file 12->92 94 Machine Learning detection for dropped file 12->94 23 RegAsm.exe 12->23         started        25 RegAsm.exe 14->25         started        27 RegAsm.exe 14->27         started        signatures5 process6 dnsIp7 66 193.142.146.202, 49722, 8808 HOSTSLICK-GERMANYNL Netherlands 16->66 68 pastebin.com 104.23.98.190, 443, 49721 CLOUDFLARENETUS United States 16->68 70 192.168.2.1 unknown unknown 16->70 52 C:\Users\user\AppData\Local\Temp\zxrzsw.exe, PE32 16->52 dropped 54 C:\Users\user\AppData\Local\Temp\ohvbnz.exe, PE32+ 16->54 dropped 56 C:\Users\user\AppData\Local\Temp\iykroy.exe, PE32 16->56 dropped 29 cmd.exe 16->29         started        32 cmd.exe 16->32         started        34 cmd.exe 16->34         started        80 Wscript starts Powershell (via cmd or directly) 20->80 82 Adds a directory exclusion to Windows Defender 20->82 36 powershell.exe 26 20->36         started        file8 signatures9 process10 signatures11 96 Suspicious powershell command line found 29->96 98 Wscript starts Powershell (via cmd or directly) 29->98 100 Bypasses PowerShell execution policy 29->100 38 conhost.exe 29->38         started        40 powershell.exe 29->40         started        42 conhost.exe 32->42         started        44 powershell.exe 32->44         started        46 conhost.exe 34->46         started        48 powershell.exe 34->48         started        50 conhost.exe 36->50         started        process12
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/78396f7f4448c533637a2ceddd8cf6e94681b7f0c2c7b446c3db3704bda8b928/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 00:39:10 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pa4w672ejdctgy32ftw53dhw5fdidn7qyld3irwd3m3qjpnixeua._file
Verdict:
suspicious
Similar samples:
0e16268b5f26f1f7314bb1b21bb246b99ee4fd6e000818edc94f7efa67964a4d
AsyncRAT
1643306adbe8c7e38ee965ab974c1d074afc671c0e5aa0c2b50a18cc67036a50
AsyncRAT
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
AsyncRAT
47aaf274ba6635b13798292366c06640a3dff0d314b56aabf0dc4f6d22ab5bd4
AsyncRAT
6be8541f9acb169414f3b10de5619404ebdf7845c21fc4451ba2dd18d1602dc1
AsyncRAT
80e9c429bf5d6b1116009980d85bd36ad7b3c05a5ad0f69a836bbcd7d0df7090
AsyncRAT
9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0
AsyncRAT
abeff15c4406f81d4332fa38897f618ea4c661335e6890b764b73408cfe4f48a
AsyncRAT
ad7e94c87890fd0d5e1ad30178606823c42c01b5e07bbc56bb86bf2bf3ae1477
AsyncRAT
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
AsyncRAT
+ 14 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline discovery infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/210513-w3b71jwaca/
Behaviour
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
RedLine
RedLine Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AsyncRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78396f7f4448c533637a2ceddd8cf6e94681b7f0c2c7b446c3db3704bda8b928

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/156277/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-13 18:00:48 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program