MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ba6343e794c0e415adb118885c33aa18446c746dd30ec59b4fda2724b2f08d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	9ba6343e794c0e415adb118885c33aa18446c746dd30ec59b4fda2724b2f08d7
SHA3-384 hash:	11b46be29a2da1c74ab42403b0ebbbb3beb8a7b9cc708e5ab8c78ae4de19fa6116945a0c28a0ce30471e177feabfd7c1
SHA1 hash:	fb016666d6963e136f241908efed90b56e57b082
MD5 hash:	723f32a52c1aa09334b96647b4fb6beb
humanhash:	fourteen-sierra-bulldog-carpet
File name:	Proforma Invoice 09.PDF.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	248'832 bytes
First seen:	2020-07-29 06:45:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:2ytlNAqr8+7q6LIv8iEUtx1pTgTmCIfL:ttrXZLRiNtx1pTTvz
Threatray	5'013 similar samples on MalwareBazaar
TLSH	2534CF2463A68F17D55ED3F80A17A80123B9EDA9C472E34C0EC572DF99B2FB16460B47
Reporter	abuse_ch
Tags:	AsyncRAT exe nVpn RAT

abuse_ch

Malspam distributing AsyncRAT:

HELO: albayrakbeton.com.tr
Sending IP: 45.90.222.242
From: Banu ALAKENT <banualakent@albayrakbeton.com.tr>
Subject: FW: We are sending oficial Proforma Invoice for Bank enclosed.
Attachment: Proforma Invoice 09.PDF.ARJ (contains "Proforma Invoice 09.PDF.exe")

AsyncRAT C2:
79.134.225.55:9654

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin

# of uploads :

1

# of downloads :

71

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/34253/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Unauthorized injection to a recently created process

Connection attempt

Connection attempt to an infection source

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/401363

Signature

.NET source code contains potential unpacker

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ba6343e794c0e415adb118885c33aa18446c746dd30ec59b4fda2724b2f08d7/

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-29 02:38:35 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=totdiptzjqhecww3cgeilqz2ugcenr2g3uyoywnu7wrheszpbdlq._file

Verdict:

malicious

Similar samples:

11d8da5aedad9fde99211e94796aba422762ee6943f359c313626faf2eb0638f

27d1e735572f83321a266037a5f451e145008e308d6278c63a6ef106e2d298a5

3ef781d62c1d2c6aab1f44ea337439553d249ff98a4b70ded2b21ce1cb39bba4

8a020281d5b475372fcf518c8f4a6b913b3a855c458996a9d7b525062ad736ec

8e6f297527e6eb70b658b01c08cf16d6e88a1d5716eaf2f3162ab5b972112ba9

96b1ce824a3687c29b0cb8663c62a09545eb713a3dcf776c29c9a85a393e5d1c

97d23ffd00c0dd37730804366759beb11de41f3f5d245014e976a57d667a5ccd

cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8

d6ba040d10d1fb8e0f6a8b1d5378be566f6d3816bf1a00fb3e0bb6eed29346b2

f22ea9b80af6dab15179a98494ece17216381d9b334c6bb2a130040eeafaf614

+ 5'003 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

rat family:asyncrat

Link:

https://tria.ge/reports/200729-9e2wae93v2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Async RAT payload

AsyncRat

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Eldorado

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/9ba6343e794c0e415adb118885c33aa18446c746dd30ec59b4fda2724b2f08d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

arj 23ab43fd88aa9a3dcbb9680b08aa66293da0089e9309d3a57feb9abb45e19d5a

exe 9ba6343e794c0e415adb118885c33aa18446c746dd30ec59b4fda2724b2f08d7

(this sample)

Dropped by

MD5 e33b73840fbae15ba9a348626b1b71ed

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 23ab43fd88aa9a3dcbb9680b08aa66293da0089e9309d3a57feb9abb45e19d5a

Cape

Cape

https://www.capesandbox.com/analysis/34253/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample