MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0
SHA3-384 hash: a81ecf7cfb9671a852fbac2e96f2cb3c0ae7b8e82f02aee0212562dfe91af999e0dcc535a476edfbb043c0702b38e196
SHA1 hash: 7197ea4eaf157c2400d7d345658e18cba5cdfc0e
MD5 hash: cc5709a18a0a6ac648dfd8adaaf5c3a7
humanhash: zulu-texas-nevada-winner
File name:PO#42038-3524.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:483'840 bytes
First seen:2021-05-10 02:30:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:gptIVqv8/tMw7Vns3no7/MXMA59C/2h4T3wn6Frucf4IDgVDAFzBA3SrO5SK3j4e:THFMw7Y9MA59CyMAn0HfVrBTFyjT
Threatray 84 similar samples on MalwareBazaar
TLSH 56A4D040E90DACD9E7E5D5B3B5768B100975BEDB92F9819F2269330452B3BC321B7C0A
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
185.157.161.20:8990

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.157.161.20:8990 https://threatfox.abuse.ch/ioc/34169/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153665/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.13270.13822.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/720917
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 02:31:09 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=trpxwvvel5a2wpm7ps676nr2jvzyywlht4dtv6jsvshbwsbqoxya._file
Verdict:
unknown
Similar samples:
02ec84d0b711866766513ad2b97752fe246e00e665e4518afe36260e5fa7b844
AsyncRAT
0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f
AsyncRAT
3d51c6c8739a9038ef4a2fd3c255ccb1206ea5e4e148af61ec47867395d3540d
AsyncRAT
667cc8470b2505337ba40eef76fc4ecb743b2bfea8081f17df81315afeb9ac35
AsyncRAT
b4f95e4d9620a26624a59ba027823fa47cfb1cc562613d51c7305ab5f0fcea56
AsyncRAT
c9c5b4b76ac69632d5f5931198adb5d21d214c72d8524ffc60d7d6bbcd44cf03
AsyncRAT
d3cf3dd42d45a2a4066e2102230b94a085649757a06da3fdeef2bf0eb56855ef
AsyncRAT
d4e42f2ff9f01dc12e8549c8ce17832971a927f2c826c32daa3d4e375fd21815
AsyncRAT
e4a364bc4301da3e0a1280d627bb19810e94828e4d2c44b477a9cd576039c664
AsyncRAT
efc2e2029414d0b2c20a5a31a7845d77d3634b9c272363b79ba131b3bff453ee
AsyncRAT
+ 74 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210510-w1gfe16136/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
AsyncRat
Unpacked files
SH256 hash:
a2d0e4b945aa6affd37ab9174ebc17e6610e595a6c7b81f39ef8a541bfb0c1d3
MD5 hash:
8ce29709bd9aa28a746982a52d04ca48
SHA1 hash:
f7ce1c829041c39b65f543012b449dd19cbde417
Link:
https://www.unpac.me/results/d37f31c8-0f81-4475-b838-f60c0ab4da22/
SH256 hash:
4e66d33b291e2f5d5e4c82e592d4852e37903395e501798afe499ae28c4f73a0
MD5 hash:
3ae86c270e12df8f9b0814e3a4772123
SHA1 hash:
8523428c36816b8fd33f29aaf9e3d29fdc4fb16b
Link:
https://www.unpac.me/results/d37f31c8-0f81-4475-b838-f60c0ab4da22/
SH256 hash:
0305c4cede8e8f52353705ca089adb19c5018d418c8ef73c8c34dd0762906cab
MD5 hash:
b33c964a6992ac782dee7029ec74ad36
SHA1 hash:
48fd1e973beb92edfbf5c1f6d838c68e10cd1d14
Link:
https://www.unpac.me/results/d37f31c8-0f81-4475-b838-f60c0ab4da22/
SH256 hash:
9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0
MD5 hash:
cc5709a18a0a6ac648dfd8adaaf5c3a7
SHA1 hash:
7197ea4eaf157c2400d7d345658e18cba5cdfc0e
Link:
https://www.unpac.me/results/d37f31c8-0f81-4475-b838-f60c0ab4da22/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153665/

Comments