MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8013f920a224f6e3af1563d04210866aef0b22c145d827274befc3b4b17cecf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8013f920a224f6e3af1563d04210866aef0b22c145d827274befc3b4b17cecf8
SHA3-384 hash: d0ba6ff4d4758947d340f22c54d481c58b810f7a6e45ea1e5f72244d462810c8a0281a003c23fa40f5ac62c8a9c189a8
SHA1 hash: deb76018ba4d8c1f700486804c383901923fe80c
MD5 hash: 2d3046668e4316eb38dfa44dd953a486
humanhash: tango-quiet-nevada-artist
File name:IMAGE21200021118921000.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:486'400 bytes
First seen:2021-02-19 10:47:43 UTC
Last seen:2021-02-19 12:59:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:cvwm+4SEmenH6nlLwbJUsz6hGSSt28JYivK+PAsTwChfQ:o+V4an1OWvHi3Is
Threatray 1'959 similar samples on MalwareBazaar
TLSH 80A49C666360AB9DC63A4D7584131A00DBF1DF378A07EBCB6C8338EC65FDE164B2115A
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117991/
Detection(s):
SecuriteInfo.com.Artemis2D3046668E43.31737.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/612599
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 355313 Sample: IMAGE21200021118921000.exe Startdate: 19/02/2021 Architecture: WINDOWS Score: 96 45 severdops.ddns.net 2->45 49 Multi AV Scanner detection for domain / URL 2->49 51 Yara detected AntiVM_3 2->51 53 Yara detected AsyncRAT 2->53 55 6 other signatures 2->55 10 IMAGE21200021118921000.exe 3 2->10         started        14 adobes.exe 3 2->14         started        signatures3 process4 file5 43 C:\Users\...\IMAGE21200021118921000.exe.log, ASCII 10->43 dropped 57 Injects a PE file into a foreign processes 10->57 16 IMAGE21200021118921000.exe 6 10->16         started        19 IMAGE21200021118921000.exe 10->19         started        59 Machine Learning detection for dropped file 14->59 21 adobes.exe 2 14->21         started        signatures6 process7 dnsIp8 41 C:\Users\user\AppData\Roaming\adobes.exe, PE32 16->41 dropped 24 cmd.exe 1 16->24         started        26 cmd.exe 1 16->26         started        47 severdops.ddns.net 103.151.123.132, 49748, 49749, 49750 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 21->47 file9 process10 process11 28 adobes.exe 2 24->28         started        31 conhost.exe 24->31         started        33 timeout.exe 1 24->33         started        35 conhost.exe 26->35         started        37 schtasks.exe 1 26->37         started        signatures12 61 Injects a PE file into a foreign processes 28->61 39 adobes.exe 2 28->39         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8013f920a224f6e3af1563d04210866aef0b22c145d827274befc3b4b17cecf8/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-19 10:48:10 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qaj7sifcet3ohlyvmpieeeegnlxqwiwbixmcoj2l57b3jml45t4a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1
AsyncRAT
4a3dbd9e76bdf61687afb04313b2cd9682985f1c55c62f54d9f39442c538bae4
AsyncRAT
580b46d3c66531c7398e60857e6d5177d500d75cc802ded85965e0c2a09e255c
AsyncRAT
59d6ba5998d9ec44d081a04a07b76ed567b53fd8a7d97c07bb77da75172fe377
AsyncRAT
5d341e97346284948f292b2acef3b6a2b48f2e1b106732aeac5046723d5ec39e
AsyncRAT
65c205b93cf9c6d9e9acd5336e010a43309688bfc2e28cffbb5ba8973757fd49
AsyncRAT
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
AsyncRAT
848b8d647cdae7cf35f1322fb01fa3aa122c3d783bfa7b66791ec4ed1a66fef5
AsyncRAT
c94596dbfbc9fde422a8f6b20fc6e488d9fcd33931e0e2e07430824eeff8a04a
AsyncRAT
c9f2834a9860d26cfe06748d933b338c5f511a01442ade25930d292b52f1f625
AsyncRAT
+ 1'949 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210219-dq8dwsa1ha/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
severdops.ddns.net:6204
Unpacked files
SH256 hash:
b2f91d1427c7b60a3ad485bed04ba75636560783c9265a8f26542d5f6aa5d8a9
MD5 hash:
5ad6dc03137fc80e4e691f4b409d9120
SHA1 hash:
edb38e49ce79ecce33ce9a891df56468c3a4016e
Link:
https://www.unpac.me/results/3e8289ee-7375-4385-8970-d8fc09af185b/
SH256 hash:
8013f920a224f6e3af1563d04210866aef0b22c145d827274befc3b4b17cecf8
MD5 hash:
2d3046668e4316eb38dfa44dd953a486
SHA1 hash:
deb76018ba4d8c1f700486804c383901923fe80c
Link:
https://www.unpac.me/results/3e8289ee-7375-4385-8970-d8fc09af185b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8013f920a224f6e3af1563d04210866aef0b22c145d827274befc3b4b17cecf8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/117991/

Comments