MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c7ee2c3befdcbea7cbbf3f32c7d1fe65b63d6a1db6ba11ed3bed8ba44b5b2ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c7ee2c3befdcbea7cbbf3f32c7d1fe65b63d6a1db6ba11ed3bed8ba44b5b2ec
SHA3-384 hash: 85253570e2ce4bad0ed60d49a8254d2d90ba8df1839ec01cd6397cebe0ccbc95be5f22626861fe24c58a740868e72a94
SHA1 hash: 8d7f4faf5b943ef98ac0b701826870ce31a8a42e
MD5 hash: 6e71a5de734a6b91489f213f60605897
humanhash: october-kansas-equal-nuts
File name:RFQ#000022513.pdf.z
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:422'168 bytes
First seen:2023-05-05 06:59:56 UTC
Last seen:2023-05-05 07:00:48 UTC
File type: z
MIME type:application/x-rar
ssdeep 12288:PLGCkpo3GJpQM73VNgHgnDbSLAhzBbMfb6604:TGCkpkGLFNgHQD2fbC4
TLSH T1779423B06AECD2125AC1D6A2A27DBF3154020FD0AEE1E89F147C259536354373EDADA3
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AsyncRAT RFQ z


Avatar
cocaman
Malicious email (T1566.001)
From: "Judith Dalgado <j.dalgado@auragroup-intl.com>" (likely spoofed)
Received: "from auragroup-intl.com (unknown [95.214.27.226]) "
Date: "4 May 2023 08:12:16 -0700"
Subject: "RFQ URGENT-URGENT"
Attachment: "RFQ#000022513.pdf.z"

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.214.27.226:8808 https://threatfox.abuse.ch/ioc/1109528/

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:RFQ#000022513.pdf.exe
File size:986'112 bytes
SHA256 hash: 6e0d1cb1133304a618380fcab64b991b98ff1c892525b316ec68173fd3aeca55
MD5 hash: 4e62537601a223c6a2ee2a93362040fa
MIME type:application/x-dosexec
Signature AsyncRAT
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28929.RarHeur.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
golang packed
Link:
https://www.filescan.io/uploads/6454a97151c1aae07a842325/reports/e6625bf5-7080-4b2a-89a3-488bb85cc4db/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9c7ee2c3befdcbea7cbbf3f32c7d1fe65b63d6a1db6ba11ed3bed8ba44b5b2ec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c7ee2c3befdcbea7cbbf3f32c7d1fe65b63d6a1db6ba11ed3bed8ba44b5b2ec/
Threat name:
Win64.Trojan.Rozena
Create hunting rule
Status:
Malicious
First seen:
2023-05-04 07:01:14 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tr7ofq567xf6u7f36pzsy7i74znwhvvb3nv2chwtx3mlurfvwlwa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AsyncRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c7ee2c3befdcbea7cbbf3f32c7d1fe65b63d6a1db6ba11ed3bed8ba44b5b2ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:SUSP_RAR_with_PDF_Script_Obfuscation
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:Internal Research
Rule name:SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4
Create hunting rule
Author:Florian Roth
Description:Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

z 9c7ee2c3befdcbea7cbbf3f32c7d1fe65b63d6a1db6ba11ed3bed8ba44b5b2ec

(this sample)

AsyncRAT

Executable exe 6e0d1cb1133304a618380fcab64b991b98ff1c892525b316ec68173fd3aeca55

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6e0d1cb1133304a618380fcab64b991b98ff1c892525b316ec68173fd3aeca55
  
Dropping
AsyncRAT

Comments