MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 864faa5510fdf217cafaf05723b969e2ad235ef085d368e701ae3d01d32752b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 864faa5510fdf217cafaf05723b969e2ad235ef085d368e701ae3d01d32752b4
SHA3-384 hash: e7f145b9fc6912e3d7a06f335c915d97b30be6a003c7cd1b9329a4f1f298cb076d5e92efe3be72a5260e07c074e0e873
SHA1 hash: e7e7a93e085544a45b8b6c82887ccc44c9aca235
MD5 hash: 31578532861eb5e2835b5d8b2e3403bf
humanhash: emma-massachusetts-wolfram-maine
File name:Proforma.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:183'632 bytes
First seen:2020-10-16 10:29:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:nDckOelTyjirtwVDe1B+ogfDaEJMvuiWTDL1CfMZiKKboXWR9Q6fkUfV:nDck2i2VDWB+VfD3S/kVmMZtKboXgdfl
TLSH 1E04078437128985EB0CD97C0BBF20B023A7EEA36DE1B3597B443311556B1A4F55CBAE
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: uzmantente.com
Sending IP: 193.169.253.189
From: info <info@uzmantente.com>
Subject: Fwd: RE: Enclosed Our Proforma Invoice To victim-email
Attachment: Proforma.r24 (contains "Proforma.exe")

AsyncRAT C2:
185.165.153.249:4571

Hosted on nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-AT
country: AT
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-10-07T21:42:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71900/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a file
Connection attempt
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493412
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299162 Sample: Proforma.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 63 pastebin.com 2->63 75 Malicious sample detected (through community Yara rule) 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 5 other signatures 2->81 8 Proforma.exe 24 6 2->8         started        13 Proforma.exe 2->13         started        15 Proforma.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 67 pastebin.com 104.23.98.190, 443, 49743, 49773 CLOUDFLARENETUS United States 8->67 69 hastebin.com 104.24.127.89, 443, 49736, 49753 CLOUDFLARENETUS United States 8->69 59 C:\Users\user\AppData\...\Proforma.exe, PE32 8->59 dropped 61 C:\Users\...\Proforma.exe:Zone.Identifier, ASCII 8->61 dropped 83 Creates an undocumented autostart registry key 8->83 85 Creates autostart registry keys with suspicious names 8->85 87 Creates multiple autostart registry keys 8->87 95 2 other signatures 8->95 19 WerFault.exe 8->19         started        22 powershell.exe 25 8->22         started        24 powershell.exe 24 8->24         started        34 4 other processes 8->34 71 104.23.99.190, 443, 49758, 49762 CLOUDFLARENETUS United States 13->71 89 Adds a directory exclusion to Windows Defender 13->89 91 Hides threads from debuggers 13->91 26 timeout.exe 13->26         started        28 powershell.exe 13->28         started        37 2 other processes 13->37 93 Injects a PE file into a foreign processes 15->93 30 timeout.exe 15->30         started        73 104.24.126.89, 443, 49769 CLOUDFLARENETUS United States 17->73 32 timeout.exe 17->32         started        file6 signatures7 process8 dnsIp9 57 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->57 dropped 39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        65 185.165.153.249, 4571, 49744, 49752 DAVID_CRAIGGG Netherlands 34->65 51 conhost.exe 34->51         started        55 2 other processes 34->55 53 conhost.exe 37->53         started        file10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/864faa5510fdf217cafaf05723b969e2ad235ef085d368e701ae3d01d32752b4/
Threat name:
ByteCode-MSIL.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 11:00:30 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzh2uviq7xzbpsx26blsholj4kwsgxxqqxjwrzybvy6qduzhkk2a._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan rat family:asyncrat
Link:
https://tria.ge/reports/201016-2x3ay5bqmx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Windows security modification
AsyncRat
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Malware Config
C2 Extraction:
185.165.153.249:4571
Unpacked files
SH256 hash:
864faa5510fdf217cafaf05723b969e2ad235ef085d368e701ae3d01d32752b4
MD5 hash:
31578532861eb5e2835b5d8b2e3403bf
SHA1 hash:
e7e7a93e085544a45b8b6c82887ccc44c9aca235
Link:
https://www.unpac.me/results/e1764e29-4ac5-45dc-af17-0595e38f66ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/864faa5510fdf217cafaf05723b969e2ad235ef085d368e701ae3d01d32752b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

rar e2b2dc5ba5344bc01c482c8436083cf5e4f4d61eee171f80c82793481f16fcaf

AsyncRAT

Executable exe 864faa5510fdf217cafaf05723b969e2ad235ef085d368e701ae3d01d32752b4

(this sample)

  
Dropped by
MD5 090a021415348eb66badbe31a7ab0712
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e2b2dc5ba5344bc01c482c8436083cf5e4f4d61eee171f80c82793481f16fcaf
Cape
Cape
https://www.capesandbox.com/analysis/71900/

Comments