MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f4d88e9eeae7ffc241646d0233acb29bedbc9bc0c124b949567a894f8af6f54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f4d88e9eeae7ffc241646d0233acb29bedbc9bc0c124b949567a894f8af6f54
SHA3-384 hash: e5075afa1c80427088da0ce71c572d0a140113b614bbda518f09f2e4b830e965922d46071c83068cbe467769c29ae389
SHA1 hash: 28af69152d3eac34d9dc8fec0a1ceb2c63de429a
MD5 hash: 42aea50814ad0d8edce593ca559d142c
humanhash: kentucky-hotel-speaker-ohio
File name:update_py-final-stage.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:497'664 bytes
First seen:2022-01-21 14:11:36 UTC
Last seen:2022-01-21 16:19:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:vvFmp0OEFNrZYgG/9SaVdUN5ZulY8hCNKDCU+ZF6JtLaxOvMl:va8r2geNL
Threatray 70 similar samples on MalwareBazaar
TLSH T1B3B42B343EEA502AB273FF699AE4359BD95FBB633B03585D106103864B23A42DED143D
Reporter 0x746f6d6669
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221475/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.20644.22848.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Creating a file in the %temp% directory
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Launching the process to change the firewall settings
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61eabf37d32385db631575d4/reports/024c997d-dd8d-4703-bbb5-a01904525de2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c3a2a72-b4df-4225-8850-821994243cb4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925234
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Enables a proxy for the internet explorer
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sets a proxy for the internet explorer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected MSIL Injector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 557712 Sample: update_py-final-stage.exe Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 34 www.google.com 2->34 36 google.com 2->36 38 getcnf.cn 2->38 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 5 other signatures 2->52 9 update_py-final-stage.exe 1 2->9         started        signatures3 process4 file5 26 C:\Users\...\update_py-final-stage.exe.log, ASCII 9->26 dropped 54 Writes to foreign memory regions 9->54 56 Allocates memory in foreign processes 9->56 58 Modifies the context of a thread in another process (thread injection) 9->58 60 Injects a PE file into a foreign processes 9->60 13 FileHistory.exe 17 61 9->13         started        signatures6 process7 dnsIp8 40 niceone20.cn 165.22.207.76, 49745, 49748, 49749 DIGITALOCEAN-ASNUS United States 13->40 42 checkip.dyndns.org 13->42 44 7 other IPs or domains 13->44 62 Installs new ROOT certificates 13->62 64 May check the online IP address of the machine 13->64 66 Tries to steal Mail credentials (via file / registry access) 13->66 68 6 other signatures 13->68 17 powershell.exe 14 18 13->17         started        20 netsh.exe 3 13->20         started        signatures9 process10 dnsIp11 28 google.com 142.250.180.142 GOOGLEUS United States 17->28 30 www.google.com 142.250.184.100 GOOGLEUS United States 17->30 32 2 other IPs or domains 17->32 22 conhost.exe 17->22         started        24 conhost.exe 20->24         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f4d88e9eeae7ffc241646d0233acb29bedbc9bc0c124b949567a894f8af6f54/
Threat name:
ByteCode-MSIL.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 14:12:11 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
35616cb24994c8f53d586c6a5959c1011331e4c224be38bb5de08ee89378ecb8
AsyncRAT
3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
AsyncRAT
5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
AsyncRAT
6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5
AsyncRAT
716408476bc23c3e74a852ed6246dd60e8ed18533bedc13d4984279c97cd1a74
AsyncRAT
c07aff77a2523b0fa86790e3dab7341e75fa557cdcb7f850b5cc803f6260cf88
AsyncRAT
cdbed3a79d37d581fc5be268df61e13aaafa5c88a001f4e8b298d77c4b37ae13
AsyncRAT
d0f8a2be536ca434da7734bd318d2a88ea5005f47d518c30ff611185f42c3701
AsyncRAT
+ 60 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat collection evasion rat suricata
Link:
https://tria.ge/reports/220121-rhvdvshhhm/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Blocklisted process makes network request
Modifies Windows Firewall
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
niceone20.cn:7201
fjuj84hgoa84gn.xyz:7201
getupdated2021win2k.cn:7201
Unpacked files
SH256 hash:
9f4d88e9eeae7ffc241646d0233acb29bedbc9bc0c124b949567a894f8af6f54
MD5 hash:
42aea50814ad0d8edce593ca559d142c
SHA1 hash:
28af69152d3eac34d9dc8fec0a1ceb2c63de429a
Link:
https://www.unpac.me/results/c3fd9556-50d7-4a25-a0e6-fc3808be4155/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/9f4d88e9eeae7ffc241646d0233acb29bedbc9bc0c124b949567a894f8af6f54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221475/

Comments