MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96256638f3441f3b5c12e3fd667daa2cbbc1935300dc6ac2606fad8ced276d2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96256638f3441f3b5c12e3fd667daa2cbbc1935300dc6ac2606fad8ced276d2e
SHA3-384 hash: c43eb058c0cc3c82c515c6b4ce0688a60fb766cc97a564774fb4db4e2562734372a85a69835968474e8ede451c12d14f
SHA1 hash: ccce18f32a54bce9f4eacd467ab1a5573934733c
MD5 hash: 06f6128ed4fdab3b42dcf93388117de4
humanhash: low-sodium-solar-oregon
File name:TEST13.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:451'072 bytes
First seen:2020-10-05 17:43:45 UTC
Last seen:2020-10-05 18:38:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:j9977eJOHmW5ZOYd/RI9xylx8RG31E89nQAXAUItLgPUdbqvA:p9veoRzpIyKG3W8CAXW0Mdev
Threatray 476 similar samples on MalwareBazaar
TLSH 25A460426324CF45D464B37F02DDAA9DA3E2F5DB3611CA0A1B0F5BB125539E6AE0F18C
Reporter James_inthe_box
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481869
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293374 Sample: TEST13.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 6 other signatures 2->45 8 TEST13.exe 4 2->8         started        12 Microsoft Office.exe 2 2->12         started        process3 file4 33 C:\Users\user\AppData\...\TEST13.exe.log, ASCII 8->33 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->55 14 cmd.exe 1 8->14         started        16 cmd.exe 2 8->16         started        57 Writes to foreign memory regions 12->57 59 Allocates memory in foreign processes 12->59 61 Injects a PE file into a foreign processes 12->61 19 InstallUtil.exe 12->19         started        signatures5 process6 file7 21 Microsoft Office.exe 5 14->21         started        24 conhost.exe 14->24         started        31 C:\Users\user\...\Microsoft Office.exe, PE32 16->31 dropped 26 conhost.exe 16->26         started        process8 signatures9 47 Writes to foreign memory regions 21->47 49 Allocates memory in foreign processes 21->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->51 53 Injects a PE file into a foreign processes 21->53 28 InstallUtil.exe 2 21->28         started        process10 dnsIp11 35 194.5.97.85, 49757, 8808 DANILENKODE Netherlands 28->35 37 192.168.2.1 unknown unknown 28->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96256638f3441f3b5c12e3fd667daa2cbbc1935300dc6ac2606fad8ced276d2e/
Threat name:
ByteCode-MSIL.Spyware.HiveMon
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 17:43:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=syswmohtiqptwxas4p6wm7nkfs54de2tadogvqtan6wyz3jhnuxa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
126a37d9189d9ef7872b74fb13f562bc8601622b6455e01fefd646b463966fa6
AsyncRAT
12859bb50366c248e9488a8852c0923bcb4135f8fcedcbac19228fe329ff39a7
AsyncRAT
17c38ccce635b7567fb09e4e48c53b5661bdd29e827917a447f0de7741694d71
AsyncRAT
3e9cb7d6eaaa8c07d939eca0bbfd2d670e349de2dd018c8d30ab59b5e19ddc95
AsyncRAT
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
AsyncRAT
847b3580cba59e7f4b453488c263544f3c481027d2ddf4f9f3988d84afc35c85
AsyncRAT
a4df5e9015f70b47dc4f2e6bae0fbeb9d108979e0cda7ef54aa123a0d33bdf8b
AsyncRAT
bbae735df39c1301901ca97c6993f2b6fd7233a0360761eab8b65f2556df4517
AsyncRAT
c8cc7c1a1210a082960b929c3598521979e16c1c6f5626b8ad29b9618ab5e18c
AsyncRAT
d0d47f1c08031d4297f713a98d6ca969009df8c0f637110622190d4ff9727106
AsyncRAT
+ 466 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201005-bgj391r27s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
96256638f3441f3b5c12e3fd667daa2cbbc1935300dc6ac2606fad8ced276d2e
MD5 hash:
06f6128ed4fdab3b42dcf93388117de4
SHA1 hash:
ccce18f32a54bce9f4eacd467ab1a5573934733c
Link:
https://www.unpac.me/results/acb7a4b5-8639-4118-9256-eab3ee74bfdc/
SH256 hash:
2e78f0ba1c93179c23234fbfd779077d3ca5bd3d263a90eb8f5dce05d355c366
MD5 hash:
de566e9813670fc364f1b8149a40a498
SHA1 hash:
29b74683fe56b9f00796a499f575caf6f08608c5
Link:
https://www.unpac.me/results/acb7a4b5-8639-4118-9256-eab3ee74bfdc/
SH256 hash:
00e30c88e6baaaa6a3ccd645e8b5a51bc24f1f5d2f49e81b292e92ecdacce22b
MD5 hash:
8ea82c239f1f8add697f465f0172649f
SHA1 hash:
3fda68b043493b4a6e3561b0257c0e34ce14fb55
Link:
https://www.unpac.me/results/acb7a4b5-8639-4118-9256-eab3ee74bfdc/
SH256 hash:
7db185b26885a19a82eefd7bfbdf2907d8fb8d9ad40d90afd6c459c390ef6b81
MD5 hash:
e2fee7c6aeaa03fb52050301327c2f7a
SHA1 hash:
d726bc2548d86b7b71735c611c72b491a1025847
Link:
https://www.unpac.me/results/acb7a4b5-8639-4118-9256-eab3ee74bfdc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/96256638f3441f3b5c12e3fd667daa2cbbc1935300dc6ac2606fad8ced276d2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/68301/

Comments