MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91512a6af5a6f62bd3348e28a4920a88bdaed4732ca9afcb956f0ca8c16d734f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91512a6af5a6f62bd3348e28a4920a88bdaed4732ca9afcb956f0ca8c16d734f
SHA3-384 hash: 5b6d652fb7478178bf52cbef32a3c8a7215df5ac6a0ba9dc140aba0dcafc1c3d0fc8de3a2c61d027d44d56fa54de4245
SHA1 hash: 1023e48556995a39fb62e94f391a65c51e5fea52
MD5 hash: 7b5e0e2402696d7dbf3a8d6661d9f144
humanhash: autumn-william-golf-solar
File name:AWB# DHL_102521 Empfangsbeleg,pdf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:305'664 bytes
First seen:2021-11-02 12:12:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:e4Qt4DwtGr5MWiK6UF1/XPmD+3JDwuU/QlC1d2OHJRay7d6I8yJxZXQhJJNkbUL+:5Vrl1eYwTx1Ja8sGXQJNkba+
Threatray 2'317 similar samples on MalwareBazaar
TLSH T1AE54432C3ECD1B72ED1ED5B84A058A09BB670F036A40FA93D78B19CAA74F0655DC7C85
File icon (PE):PE icon
dhash icon 4db292f2d88cb40b (15 x RemcosRAT, 13 x AgentTesla, 7 x NanoCore)
Reporter lowmal3
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB# DHL_102521 Empfangsbeleg,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 12:17:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c94556d6-8ec9-4107-9333-e5189a8126ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201431/
Detection(s):
SecuriteInfo.com.Trojan.Mardom.MN.10.31015.11517.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61812b501c62c356607ee950/reports/624ec8c5-6c89-4fda-86ae-028df44cca60/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/020a04ef-2bd4-41e7-b7d5-08be92024ebb
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/881257
Signature
.NET source code contains potential unpacker
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 513688 Sample: AWB# DHL_102521 Empfangsbel... Startdate: 02/11/2021 Architecture: WINDOWS Score: 100 63 ramlifaris684.duckdns.org 2->63 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected AsyncRAT 2->71 73 6 other signatures 2->73 8 AWB# DHL_102521 Empfangsbeleg,pdf.exe 5 2->8         started        12 jdgy.exe 4 2->12         started        14 jdgy.exe 3 2->14         started        signatures3 process4 file5 59 AWB# DHL_102521 Em...gsbeleg,pdf.exe.log, ASCII 8->59 dropped 77 Injects a PE file into a foreign processes 8->77 16 cmd.exe 3 8->16         started        19 cmd.exe 1 8->19         started        22 AWB# DHL_102521 Empfangsbeleg,pdf.exe 2 8->22         started        61 C:\Users\user\AppData\Local\...\jdgy.exe.log, ASCII 12->61 dropped 79 Multi AV Scanner detection for dropped file 12->79 81 Machine Learning detection for dropped file 12->81 25 cmd.exe 1 12->25         started        27 cmd.exe 1 12->27         started        29 jdgy.exe 2 12->29         started        31 cmd.exe 14->31         started        33 cmd.exe 14->33         started        35 jdgy.exe 14->35         started        signatures6 process7 dnsIp8 55 C:\Users\user\AppData\Roaming\jdgy\jdgy.exe, PE32 16->55 dropped 57 C:\Users\user\...\jdgy.exe:Zone.Identifier, ASCII 16->57 dropped 37 conhost.exe 16->37         started        75 Uses schtasks.exe or at.exe to add and modify task schedules 19->75 39 conhost.exe 19->39         started        41 schtasks.exe 1 19->41         started        65 ramlifaris684.duckdns.org 194.147.140.26, 6395 PTPEU unknown 22->65 43 conhost.exe 25->43         started        45 schtasks.exe 1 25->45         started        47 conhost.exe 27->47         started        49 conhost.exe 31->49         started        51 schtasks.exe 31->51         started        53 conhost.exe 33->53         started        file9 signatures10 process11
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/91512a6af5a6f62bd3348e28a4920a88bdaed4732ca9afcb956f0ca8c16d734f/
Threat name:
ByteCode-MSIL.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 11:22:47 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfisu2xvu33cxuzuryukjeqkrc625vdtfsu27s4vn4gkrqlnonhq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
507cd77f0000cc2af40601e9121683769ea55d389a1df1c7832a103785711fb4
AsyncRAT
6776c42da9ff39df7f76649d5ad287ff628790e84c7bebf325cb9b8c2e74aeb2
AsyncRAT
977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1
AsyncRAT
c92748428af1806d4ecc702bce8ad9abcac6b738e7208d3586450cb4944a87a9
AsyncRAT
f051b1c9df37c1d4236c98b54883d4005572910949a1be18ab6ead13754147dc
AsyncRAT
f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520
AsyncRAT
fcd5fc495b4f81bf91491b52e1759cf93794bf135fed6469a5d1e0663dfb6c3e
AsyncRAT
+ 2'307 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/211102-pdq5jahear/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
ramlifaris684.duckdns.org:6395
Unpacked files
SH256 hash:
a8007413018cb007cedb99ae1797b593a8d26232054ef9c0fe2636ec233fe3d5
MD5 hash:
6700796d184882865ab0811cb9967dd2
SHA1 hash:
b7844fd663013db32e464c2f2fc4a32226becdac
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/220245d0-643b-467c-8b1e-c4b2b14dc6be/
SH256 hash:
91512a6af5a6f62bd3348e28a4920a88bdaed4732ca9afcb956f0ca8c16d734f
MD5 hash:
7b5e0e2402696d7dbf3a8d6661d9f144
SHA1 hash:
1023e48556995a39fb62e94f391a65c51e5fea52
Link:
https://www.unpac.me/results/220245d0-643b-467c-8b1e-c4b2b14dc6be/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/91512a6af5a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91512a6af5a6f62bd3348e28a4920a88bdaed4732ca9afcb956f0ca8c16d734f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe 91512a6af5a6f62bd3348e28a4920a88bdaed4732ca9afcb956f0ca8c16d734f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/201431/

Comments