MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a8fd2998869405d6dd8a1e48d75c5bd072ab2768f80717b205115ec5303eb71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a8fd2998869405d6dd8a1e48d75c5bd072ab2768f80717b205115ec5303eb71
SHA3-384 hash: b17e9860e8ac420ca4662b99f6021dc3533df5c9afb76b462b20d6014be04a08355a7923c9ef884ac0adf8dc8af28fd7
SHA1 hash: 07bebc09208f01142bbcb7baaf3eebb7c37f40af
MD5 hash: 1177ecfa0e8843e2b468bf219b9f5a6e
humanhash: ohio-kentucky-vermont-fanta
File name:1177ecfa0e8843e2b468bf219b9f5a6e.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:9'216 bytes
First seen:2021-08-25 18:50:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 192:FwgknpyLYtHniDUUUUUPUU7AiQceasxD1:F9EpyLYtHiDUUUUUPUUuJV1
Threatray 1'388 similar samples on MalwareBazaar
TLSH T14B1267A593F801A7F6327E376CDBFD03A93635C31C29AA5D47428B192C22E16CDB1990
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
18.133.124.202:4784

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
18.133.124.202:4784 https://threatfox.abuse.ch/ioc/195181/

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1177ecfa0e8843e2b468bf219b9f5a6e.exe
Verdict:
Malicious activity
Analysis date:
2021-08-25 18:51:16 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/d0ccc4c2-3a4f-4b2b-b356-1bab4222e95d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182402/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Deleting a recently created file
Creating a window
Unauthorized injection to a system process
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/665fe57b-1810-4140-aa0a-59ac6b5218ba
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839311
Signature
.NET source code contains potential unpacker
Found malware configuration
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471742 Sample: o0TYGLXPS5.exe Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Yara detected AntiVM3 2->58 60 6 other signatures 2->60 10 o0TYGLXPS5.exe 15 3 2->10         started        process3 dnsIp4 46 cdn.discordapp.com 162.159.129.233, 443, 49710 CLOUDFLARENETUS United States 10->46 13 RegAsm.exe 2 5 10->13         started        18 RegSvcs.exe 2 10->18         started        process5 dnsIp6 48 18.133.124.202, 4784, 49711, 49716 AMAZON-02US United States 13->48 44 C:\Users\user\AppData\...\tmp2FA3.tmpg r.exe, PE32+ 13->44 dropped 64 Tries to harvest and steal browser information (history, passwords, etc) 13->64 20 cmd.exe 1 13->20         started        50 185.33.234.96, 2306, 49713, 49714 TR-FBSTR Turkey 18->50 file7 signatures8 process9 signatures10 62 Suspicious powershell command line found 20->62 23 powershell.exe 14 20->23         started        25 conhost.exe 20->25         started        process11 process12 27 tmp2FA3.tmpg r.exe 23 23->27         started        file13 36 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 27->36 dropped 38 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 27->38 dropped 40 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 27->40 dropped 42 16 other files (none is malicious) 27->42 dropped 30 tmp2FA3.tmpg r.exe 1 27->30         started        34 conhost.exe 27->34         started        process14 dnsIp15 52 discord.com 162.159.137.232 CLOUDFLARENETUS United States 30->52 66 Tries to harvest and steal browser information (history, passwords, etc) 30->66 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a8fd2998869405d6dd8a1e48d75c5bd072ab2768f80717b205115ec5303eb71/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 18:51:05 UTC
AV detection:
9 of 43 (20.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tkh5fgminfaf23oyuhsi25ofxudsvmtwr6ahc6zakek6yuyd5nyq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
2719edd4501aae5818bb22c68a542d8a872fde8088175796674d3512445a4556
AsyncRAT
292f5a19fadef7188670b8bc2e69bcd9d1f54c7e23928427392dc135dcdc8a0d
AsyncRAT
341c2ff06edc558131f9517ebabf0ce7676457cc1d33c5ab7189961d0b28b0b8
AsyncRAT
3cf89441ca63fa9ea13557f66bb4ce7af4f5c7006e1b5574be78499624048404
AsyncRAT
4ed4aa642d67b79463edea71fa8781461cd6a63a4a01d20c497328801381a09a
AsyncRAT
632fad824e77666d3ccb676808a2f04eb349f1f0f1495e75b37aa47e690ffe14
AsyncRAT
812a2ed477ffdac4f86746d587fd8a34ac9c1f6b65c15a38ac08079c32ecfdce
AsyncRAT
a16602864c33b68b083a8a404c6500b44bf3247c474071cb7dd4216a39e5347e
AsyncRAT
dd15d364592da8dbc249ff5480112724cace64d1ac27b32693395283e4603ab8
AsyncRAT
ebb67fcc05af7a919e225a7a1f8c5bfbd65b28c22f4659527b0afb4f968ccd49
AsyncRAT
+ 1'378 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat pyinstaller rat spyware stealer suricata
Link:
https://tria.ge/reports/210825-npgz87vnzj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
18.133.124.202:4784
185.33.234.96:2306
Unpacked files
SH256 hash:
9a8fd2998869405d6dd8a1e48d75c5bd072ab2768f80717b205115ec5303eb71
MD5 hash:
1177ecfa0e8843e2b468bf219b9f5a6e
SHA1 hash:
07bebc09208f01142bbcb7baaf3eebb7c37f40af
Link:
https://www.unpac.me/results/0e8c444d-f6df-44d0-a760-281f8cb3434f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9a8fd2998869/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/9a8fd2998869405d6dd8a1e48d75c5bd072ab2768f80717b205115ec5303eb71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182402/

Comments