MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79aefd220ad57f02617c46f42f1c1eecd787b1149c19f2935b591525ad4390bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79aefd220ad57f02617c46f42f1c1eecd787b1149c19f2935b591525ad4390bf
SHA3-384 hash: f5aeab68e6785feadc91d3803aa8d55bb6c562ae54acecbd64c6b3901b44fa0097f0001be4bbee4a5b92a3d18ce49183
SHA1 hash: b8e1536032ecb2b11c9579ec4b111884d85489f5
MD5 hash: bfc29007540a34ebb7c3551c33c2e1b2
humanhash: oxygen-jupiter-bakerloo-whiskey
File name:WIRE_CONFIRMATION_USD_CURRENCY.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:346'112 bytes
First seen:2020-10-28 08:48:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:rou+e8UEfpRKaEMP3q912W5+ka7KIyDuqw/fvh/KZRB/gu5IIYLlJkjn/IRc5TdI:rouJ8JRKaEM7Wwka7HxCZztc
TLSH 1874B83D6E8526E36277E676A0F50187F9E861DA73791D8B01C32B08294EF123D9B34D
Reporter abuse_ch
Tags:AsyncRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: bestocean.com
Sending IP: 103.150.187.47
From: Ellen Tien (Accounting Dept) <ellen.tien@bestocean.com>
Subject: Invoice-WIre Confirmation USD45,909
Attachment: WIRE_CONFIRMATION_USD_CURRENCY.zip (contains "WIRE_CONFIRMATION_USD_CURRENCY.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/80370/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/514786
Signature
.NET source code contains very large strings
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 306506 Sample: WIRE_CONFIRMATION_USD_CURRE... Startdate: 28/10/2020 Architecture: WINDOWS Score: 96 33 finishfarm.duckdns.org 2->33 35 cdn.onenote.net 2->35 39 Multi AV Scanner detection for dropped file 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AsyncRAT 2->43 45 6 other signatures 2->45 8 WIRE_CONFIRMATION_USD_CURRENCY.exe 10 2->8         started        12 tassk.exe 4 2->12         started        signatures3 process4 dnsIp5 29 C:\Users\user\AppData\Roaming\tassk.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 8->31 dropped 47 Creates an undocumented autostart registry key 8->47 49 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->49 15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        37 finishfarm.duckdns.org 185.244.30.139, 49748, 49749, 49750 DAVID_CRAIGGG Netherlands 12->37 51 Multi AV Scanner detection for dropped file 12->51 53 Machine Learning detection for dropped file 12->53 file6 signatures7 process8 process9 19 tassk.exe 5 15->19         started        21 conhost.exe 15->21         started        23 timeout.exe 1 15->23         started        25 conhost.exe 17->25         started        27 schtasks.exe 1 17->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79aefd220ad57f02617c46f42f1c1eecd787b1149c19f2935b591525ad4390bf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-28 07:22:03 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgxp2iqk2v7qeyl4i32c6ha65tlypmiutqm7fe23leksllkdsc7q._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/201028-qaw2lhve7j/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip f517085c06a8fbdc4b83932bbc7b00024d3b47e4d023faae3051284b68600959

AsyncRAT

Executable exe 79aefd220ad57f02617c46f42f1c1eecd787b1149c19f2935b591525ad4390bf

(this sample)

  
Dropped by
MD5 bd5a3d9fd6edadeb766648eecee9d6be
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f517085c06a8fbdc4b83932bbc7b00024d3b47e4d023faae3051284b68600959
Cape
Cape
https://www.capesandbox.com/analysis/80370/

Comments