MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7acc028b1fdf2fd2d09fec663aca4d5c440ac4f206cc6c45857cee5c8761c335. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7acc028b1fdf2fd2d09fec663aca4d5c440ac4f206cc6c45857cee5c8761c335
SHA3-384 hash: e5065d2a9031bac1bc24ef1aff6a29ebb66668ac6f38f5e60f66e77ba2d64b423de554e777c1e169655e374707393bd9
SHA1 hash: 27c4dd0cee65bed2b2ba62c2471c3ea8839b9ce3
MD5 hash: da325b68d3b24d11a3f7b82365ad2c0f
humanhash: alanine-ceiling-nine-hawaii
File name:Shipping_Documents_INV_PL_and_BL,pdf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:780'288 bytes
First seen:2021-01-15 07:11:19 UTC
Last seen:2021-01-15 09:12:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:5ejf5RctxpcCWyjZw6IwQZ3nfMEFXtUaSkL0rhTlI1gTfNqV83hx9kWVgPTTE9Nb:BDmfE9NNz902hei0iRlbWiAbL/Zk
Threatray 9 similar samples on MalwareBazaar
TLSH F4F47C419B919B11F37D63FD28141091ABF2C36AF3E9EB5DFC81A0F66A52E1841FD482
Reporter abuse_ch
Tags:AsyncRAT DHL exe RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: mail9.welislinghung.com
Sending IP: 161.35.237.190
From: DHL Express <support@dhl.com>
Subject: DHL Shipment Arrival : 3720991024
Attachment: Shipping_Documents_INV_PL_and_BL,pdf.zip (contains "Shipping_Documents_INV_PL_and_BL,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping_Documents_INV_PL_and_BL,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 07:33:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/694e5a8b-b115-4cb6-aa16-0d11ae5a75dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112174/
Detection(s):
SecuriteInfo.com.ArtemisDA325B68D3B2.22376.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/582264
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7acc028b1fdf2fd2d09fec663aca4d5c440ac4f206cc6c45857cee5c8761c335/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-15 01:13:24 UTC
AV detection:
4 of 44 (9.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=plgafcy734x5fue75rtdvssnlrcavrhsa3ggyrmfptxfzb3bym2q._file
Verdict:
unknown
Similar samples:
623c65639a4364546031c5edb9780ab9cbbe5e6713d09518805dcaded8e425a0
AsyncRAT
788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0
AsyncRAT
8994753df988a18e391508dcf4c6ebe31b2c73132fc601ed78ec19ccfb8bf049
AsyncRAT
a01cdc5ca32862dc9f825579970d9740a683b88ae426426caf1b8a607143e935
AsyncRAT
cce24ef5bce0ff17a08ef75abb9b0b0d61c8c3af663a3f01d552a4288008a027
AsyncRAT
dd715a1b1f733c57f100877432d8e365c0efe519cda845c0e37ebd58886dbea6
AsyncRAT
defe000395c5932a94450bd21a142a954d5113da26ee5127e8cab0980a62b042
AsyncRAT
e665d8433c9e96b567470eb29b4f2857911001759b66cafb40c1123befdaf458
AsyncRAT
fbc03136e9f9f81025904df9b17d27499561e026f3a0c1fe93ce92b008516454
AsyncRAT
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210115-27pkkq7c1n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
null:null
Unpacked files
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/8213131e-5183-4b46-acda-61f722b56559/
SH256 hash:
7acc028b1fdf2fd2d09fec663aca4d5c440ac4f206cc6c45857cee5c8761c335
MD5 hash:
da325b68d3b24d11a3f7b82365ad2c0f
SHA1 hash:
27c4dd0cee65bed2b2ba62c2471c3ea8839b9ce3
Link:
https://www.unpac.me/results/8213131e-5183-4b46-acda-61f722b56559/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/7acc028b1fdf2fd2d09fec663aca4d5c440ac4f206cc6c45857cee5c8761c335

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip 01fe0c9e5c014e7e8f7691a63be151d57588473c66e87c3c031daded400463f5

AsyncRAT

Executable exe 7acc028b1fdf2fd2d09fec663aca4d5c440ac4f206cc6c45857cee5c8761c335

(this sample)

  
Dropped by
MD5 02b221aec6dc36f2d2a9e699c5838b4c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112174/
  
Dropped by
SHA256 01fe0c9e5c014e7e8f7691a63be151d57588473c66e87c3c031daded400463f5

Comments