MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8713ebcf30c5b9fcb2c3dc8fc8f14f3694b6e18fcc6f11003b3931eef2199501. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8713ebcf30c5b9fcb2c3dc8fc8f14f3694b6e18fcc6f11003b3931eef2199501
SHA3-384 hash: e25ee7541c389df8637b9acc2e2be5e81aa8e005b81fee05182aed55f085a74da089621c6e4009a8d7b5036b7911a218
SHA1 hash: 4df869c99f58a9b7573975d3c34e4a1f6144bee8
MD5 hash: a485c9d0dcd1fa88cf7b179449d681d3
humanhash: ack-illinois-zebra-ohio
File name:Factura.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:4'173'824 bytes
First seen:2022-09-15 12:40:34 UTC
Last seen:2022-09-15 14:24:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:K2MY9d+HB6hmaJid561Ea0BDZ9zFmWDnOE3x4dP76ZAL9:99d+HB6hfPuZAL
Threatray 173 similar samples on MalwareBazaar
TLSH T171161C10EBFA912AF1FF5F759AF564998EBBB6527A03E51D104012CD0A32B41CF9123B
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
79.134.225.11:7935

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.11:7935 https://threatfox.abuse.ch/ioc/849850/

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
Factura.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 07:31:12 UTC
Tags:
trojan rat asyncrat agenttesla
Link:
https://app.any.run/tasks/6d3430bf-79a2-4d12-ba8a-8d59b62e8c60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/310259/
Detection(s):
SecuriteInfo.com.Variant.Tedy.203514.3541.30144.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe
Link:
https://www.filescan.io/uploads/63231d6a1183046074a35734/reports/28a00bad-fb19-4b5b-8e41-80d8c9df1711/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/812ffcaf-86bb-490b-a519-11f1379dc541
Result
Threat name:
AgentTesla, AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1071068
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 703611 Sample: Factura.exe Startdate: 15/09/2022 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 4 other signatures 2->67 9 Factura.exe 3 2->9         started        12 Factura.exe 2 2->12         started        14 Factura.exe 2->14         started        16 Factura.exe 2->16         started        process3 file4 53 C:\Users\user\AppData\...\Factura.exe.log, ASCII 9->53 dropped 18 RegAsm.exe 2 5 9->18         started        22 WerFault.exe 3 10 12->22         started        24 WerFault.exe 14->24         started        process5 dnsIp6 55 79.134.225.11, 49723, 49727, 49731 FINK-TELECOM-SERVICESCH Switzerland 18->55 45 C:\Users\user\AppData\Local\Temp\rtjnrf.exe, PE32 18->45 dropped 47 C:\Users\user\AppData\Local\Temp\pawrxs.exe, PE32 18->47 dropped 26 cmd.exe 18->26         started        29 cmd.exe 1 18->29         started        57 192.168.2.1 unknown unknown 22->57 49 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->49 dropped 51 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->51 dropped file7 process8 signatures9 83 Suspicious powershell command line found 26->83 31 powershell.exe 26->31         started        33 conhost.exe 26->33         started        85 Bypasses PowerShell execution policy 29->85 35 powershell.exe 12 29->35         started        37 conhost.exe 29->37         started        process10 process11 39 pawrxs.exe 31->39         started        43 rtjnrf.exe 2 35->43         started        dnsIp12 69 Antivirus detection for dropped file 39->69 71 Multi AV Scanner detection for dropped file 39->71 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->73 81 4 other signatures 39->81 59 mail.capicor.com 188.165.132.196, 49741, 49747, 587 OVHFR France 43->59 75 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->75 77 Tries to steal Mail credentials (via file / registry access) 43->77 79 Machine Learning detection for dropped file 43->79 signatures13
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8713ebcf30c5b9fcb2c3dc8fc8f14f3694b6e18fcc6f11003b3931eef2199501/
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2022-09-15 12:41:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4j6xtzqyw47zmwd3sh4r4kpg2klnympzrxrcab3hey654qzsuaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
0b3020eb6b8360bae5958d4f8e877fe532d1c21bbaa851c364aaef0b6f67e1ac
AsyncRAT
2b706f2254c046cc98027519e95de07d7e0d63ac61733db9c42fc2995b69fe48
AsyncRAT
40c935ce8104afa8a498a4bde6146fb548e202370212ebbb7851ed443b3af510
AsyncRAT
5c06feb446bfb3ba4455d92b452a153c44ed0e272453892796d1d8ee96341e3f
AsyncRAT
67741e596f4d59713a232bfb45d6cb0b2592f67b867773f72c2bb0fa2f749685
AsyncRAT
9f340084a105595091444c4fe491dcb4cee297c296812165dcbe4f23579fff1a
AsyncRAT
c292d019df9deb09354d85ee3e021d61978038873bb2896508fe3931b20872c9
AsyncRAT
cbde068b97a9081568dea732d561f26c52946ebbadf260c2305b46f369b20c9d
AsyncRAT
db29e46a00783cde39989459c59012331558105ed1c0de921ad0f296f3a1d2bf
AsyncRAT
fbe6f83cfe3708300938643cb9f99def1aec2ffa842e026daea15b5706d1ceaf
AsyncRAT
+ 163 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:asyncrat collection keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/220915-pwrh1sggfj/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AgentTesla
AsyncRat
Malware Config
C2 Extraction:
p=
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a978fc5e-568f-4263-8048-62c0c3b5e68d
Unpacked files
SH256 hash:
49000ad6729d935e7361c21b5a98e8cd7f808b008928019354e636bcdef9d50b
MD5 hash:
5a8fa144f74300317849056b0d38bbf6
SHA1 hash:
a37c7737fbc22afd455dc89900911662f5c19574
Link:
https://www.unpac.me/results/b520920e-9076-4e57-9d41-ce5c8d5dfcc2/
SH256 hash:
264726fea118ddfa16b534076e160900bda426574a88112903a2a20664c26627
MD5 hash:
54f9556445b9d2f57a740f4bba69b261
SHA1 hash:
37e8803bb4c1a338d9d09bb0ce187496cb092d97
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/b520920e-9076-4e57-9d41-ce5c8d5dfcc2/
SH256 hash:
8713ebcf30c5b9fcb2c3dc8fc8f14f3694b6e18fcc6f11003b3931eef2199501
MD5 hash:
a485c9d0dcd1fa88cf7b179449d681d3
SHA1 hash:
4df869c99f58a9b7573975d3c34e4a1f6144bee8
Link:
https://www.unpac.me/results/b520920e-9076-4e57-9d41-ce5c8d5dfcc2/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8713ebcf30c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8713ebcf30c5b9fcb2c3dc8fc8f14f3694b6e18fcc6f11003b3931eef2199501

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest2
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310259/

Comments