MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca93809fbee49c7fdfd1aff84546a5fc31f30b4e44a6ca1f77b36b8ae2692e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ca93809fbee49c7fdfd1aff84546a5fc31f30b4e44a6ca1f77b36b8ae2692e6
SHA3-384 hash: 95510e2a6c377727bdd38ff0449742444fe1c617c4060fcdf75a40bcf13575fc8396a327d1a392e15e6357c81683143a
SHA1 hash: ebe3e2f1bbe065013ce561ccce366385403305a4
MD5 hash: 4563d89b8a161d8e47f9b33f5f976990
humanhash: magazine-ack-eight-zebra
File name:Sales Invoice_REG212004755711421641.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:213'194 bytes
First seen:2021-09-02 19:37:02 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:IMoMoMoMeMoMoMoMeMoMoMoMeMoMoMoMeMoMoMoMeMoMoMoMeMoMoMoMeMoMoMo8:KgI/lkDslPW
TLSH T1CF24C0A8434DAB8AF30B27593C8316B79C8A824FB7F72341A57A1F0A5706D41776BD07
Reporter AndreGironda
Tags:aggah AsyncRAT hagga Snip3 vbs


Avatar
AndreGironda
MITRE T1566.001
Date: Thu, 02 Sep 2021 12:00-12:30 -0400
Received: from se6-iad1.servconfig.com (se6-iad1.servconfig.com [144.208.77.50])
From: Lee Roberts <Lee_Robert@cleanitsupply.com>
Subject: Inquiry for housing
Message-ID: <b4b6dbe323d713ab7b39f2df7897bb11@cleanitsupply.com>
User-Agent: Roundcube Webmail/1.4.11

<p style="font-weight: 400;"><span style="font-family: georgia, palatino, serif; font-size: 10pt;">Hello,<br /><span style="font-family: georgia, palatino, serif;"><span style="font-size: 10pt;"><br
/>Can you advise price &amp; availability?</span><span style="font-size: 10pt;"></span></span></span></p>
<p style="font-weight: 400;"><span style="font-family: georgia, palatino, serif; font-size: 10pt;"><span style="font-family: georgia, palatino, serif;"><span style="font-size: 10pt;">Please place ma
nually and confirm lower price. </span></span></span></p>
<div style="font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; backgroun
d-color: #ffffff; color: #201f1e; font-size: 11pt; font-family: Calibri, sans-serif; margin: 0px;">
<div class="v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1gmail_chip v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1v1gmail_drive_chip" style="width: 396px; height: 18px; max-height: 18px; background-color: #f5f5f5; padding: 5px; color: #222222; font-family: arial; font-style: normal; font-weight: bold; font-size: 13px; border: 1px solid #dddddd; line-height: 1;"><a style="color: #1155cc; display: inline-block; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; text-decoration: none; padding: 1px 0px; width: 396px;" href="https://onedrive.live.com/download?cid=42EEB4120DC0653B&resid=42EEB4120DC0653B%21106&authkey=AFpsRNze-kX-zYE" rel="noreferrer"><img src="cid:16305997236130fa2b8ef50705534718@cleanitsupply.com" width="16" height="16" />&nbsp;<span style="color: #1155cc; text-decoration: none; vertical-align: bottom;"> Enquiries.pdf</span></a><span style="color: #1155cc; text-decoration: none; vertical-align: bottom;"></span></div>
</div>
<p style="font-weight: 400;"><span style="font-family: georgia, palatino, serif; font-size: 10pt;">Please advise accordingly</span></p>
<p style="font-weight: 400;"><span style="font-family: georgia, palatino, serif; font-size: 10pt;">Kind regards</span></p>

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184962/
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844310
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Compiles code for process injection (via .Net compiler)
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected RUNPE
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476738 Sample: Sales Invoice_REG2120047557... Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Antivirus detection for dropped file 2->71 73 Yara detected RUNPE 2->73 75 5 other signatures 2->75 9 wscript.exe 1 2->9         started        12 wscript.exe 1 2->12         started        process3 signatures4 81 VBScript performs obfuscated calls to suspicious functions 9->81 83 Suspicious powershell command line found 9->83 85 Wscript starts Powershell (via cmd or directly) 9->85 87 2 other signatures 9->87 14 powershell.exe 14 19 9->14         started        19 powershell.exe 21 12->19         started        process5 dnsIp6 59 sharetext.me 172.67.141.169, 443, 49733 CLOUDFLARENETUS United States 14->59 51 C:\Users\Public\SystemUpdate.PS1, ASCII 14->51 dropped 61 Drops VBS files to the startup folder 14->61 63 Compiles code for process injection (via .Net compiler) 14->63 21 powershell.exe 22 14->21         started        25 conhost.exe 14->25         started        53 C:\Users\user\AppData\...\SystemLogin.vbs, ASCII 19->53 dropped 55 C:\Users\user\AppData\Local\...\voi1zj4l.0.cs, C++ 19->55 dropped 65 Writes to foreign memory regions 19->65 67 Injects a PE file into a foreign processes 19->67 27 csc.exe 3 19->27         started        29 conhost.exe 19->29         started        31 InstallUtil.exe 19->31         started        file7 signatures8 process9 file10 47 C:\Users\user\AppData\...\cafpsupx.cmdline, UTF-8 21->47 dropped 77 Writes to foreign memory regions 21->77 79 Injects a PE file into a foreign processes 21->79 33 InstallUtil.exe 2 21->33         started        36 csc.exe 3 21->36         started        39 InstallUtil.exe 21->39         started        49 C:\Users\user\AppData\Local\...\voi1zj4l.dll, PE32 27->49 dropped 41 cvtres.exe 27->41         started        signatures11 process12 dnsIp13 57 36.255.96.200, 4190 ZNETUS Pakistan 33->57 45 C:\Users\user\AppData\Local\...\cafpsupx.dll, PE32 36->45 dropped 43 cvtres.exe 1 36->43         started        file14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ca93809fbee49c7fdfd1aff84546a5fc31f30b4e44a6ca1f77b36b8ae2692e6/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psutqcp35ze4p7p5dl7yivdkl7br6mfu4rfgzipxpm3lrlrgslta._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210902-ybtbjsbfa6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Blocklisted process makes network request
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
36.255.96.200:4190
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7ca93809fbee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ca93809fbee49c7fdfd1aff84546a5fc31f30b4e44a6ca1f77b36b8ae2692e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

Visual Basic Script (vbs) vbs 7ca93809fbee49c7fdfd1aff84546a5fc31f30b4e44a6ca1f77b36b8ae2692e6

(this sample)

MassLogger

DLL dll 1c38c575d183cb82453a4a0a45053f6586e28660bae7d24cb3f7ae33d151c7eb

AsyncRAT

PowerShell (PS) ps1 d16cb614269bbbadd67f4cf0a5f5a7e857c6cf2541f795258ceac91416099ead

  
Link
https://tria.ge/210902-v1zcbaeahm
  
Dropping
SHA256 d16cb614269bbbadd67f4cf0a5f5a7e857c6cf2541f795258ceac91416099ead
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/184962/

Comments