MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a117dbdf80641bf739cf2f35385446d8d840628f0e8d4dd966dee1965ce5982f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a117dbdf80641bf739cf2f35385446d8d840628f0e8d4dd966dee1965ce5982f
SHA3-384 hash: 3bf851e212ed9ba1445c9979e044c79687e64e4e68e85c47f498148a82b9956af26bf8aa156cdae5c355e1b2230c75d8
SHA1 hash: f441eabe0df3d45ea427d7454b6804f3c4f2930c
MD5 hash: 0b1bcc5210e834a31c364cde5f110e77
humanhash: robert-california-illinois-september
File name:MY CV.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:386'048 bytes
First seen:2022-04-07 11:41:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:3GnSHudRlqzbrEcVZQ5TNk9HO0kLNcUm4gOJzLQQWCfVceUcg29YIT6aQjyEt:3JuuE0ZQfk9HOBcU+OKe8V68j3t
Threatray 2'407 similar samples on MalwareBazaar
TLSH T1CF84F129F7BBC521C296073BC6C5592803B1D645A563EB0EABCD2BDA1E037E70D82753
File icon (PE):PE icon
dhash icon b2cccccce8b2b28a (21 x AgentTesla, 14 x Formbook, 11 x SnakeKeylogger)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
79.134.225.8:6161

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.8:6161 https://threatfox.abuse.ch/ioc/517011/

Intelligence

File Origin
# of uploads :
1
# of downloads :
365
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
MY CV.exe
Verdict:
Malicious activity
Analysis date:
2022-04-07 11:43:52 UTC
Tags:
asyncrat trojan rat
Link:
https://app.any.run/tasks/90b039c2-79d9-4ee8-b572-a8e4742588de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/261702/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/624ece0abbd90911a28ed970/reports/1dd4a757-4888-4f6f-8b38-8cae9a1cd2e0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84511a24-e32d-4346-a22f-59b20bacba48
Result
Threat name:
AgentTesla AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/972328
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 604811 Sample: MY CV.exe Startdate: 07/04/2022 Architecture: WINDOWS Score: 100 101 mail.istanbulcannakliyat.com 2->101 103 istanbulcannakliyat.com 2->103 119 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus detection for dropped file 2->123 125 12 other signatures 2->125 12 MY CV.exe 7 2->12         started        16 BffcxxI.exe 2->16         started        18 BffcxxI.exe 2->18         started        signatures3 process4 file5 85 C:\Users\user\AppData\Roaming\idjNAAexC.exe, PE32 12->85 dropped 87 C:\Users\...\idjNAAexC.exe:Zone.Identifier, ASCII 12->87 dropped 89 C:\Users\user\AppData\Local\...\tmp8073.tmp, XML 12->89 dropped 91 C:\Users\user\AppData\Local\...\MY CV.exe.log, ASCII 12->91 dropped 139 Adds a directory exclusion to Windows Defender 12->139 141 Injects a PE file into a foreign processes 12->141 20 MY CV.exe 1 5 12->20         started        24 powershell.exe 25 12->24         started        26 schtasks.exe 1 12->26         started        143 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->143 145 Machine Learning detection for dropped file 16->145 147 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->147 28 BffcxxI.exe 16->28         started        31 schtasks.exe 16->31         started        33 BffcxxI.exe 16->33         started        35 schtasks.exe 18->35         started        37 BffcxxI.exe 18->37         started        signatures6 process7 dnsIp8 105 79.134.225.8, 49752, 49758, 49762 FINK-TELECOM-SERVICESCH Switzerland 20->105 81 C:\Users\user\AppData\Local\Temp\yolzja.exe, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\Temp\tsxsmt.exe, PE32 20->83 dropped 39 cmd.exe 20->39         started        42 cmd.exe 20->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        107 mail.istanbulcannakliyat.com 28->107 109 istanbulcannakliyat.com 28->109 131 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->131 133 Tries to steal Mail credentials (via file / registry access) 28->133 135 Tries to harvest and steal ftp login credentials 28->135 137 2 other signatures 28->137 48 conhost.exe 31->48         started        50 conhost.exe 35->50         started        file9 signatures10 process11 signatures12 127 Suspicious powershell command line found 39->127 129 Bypasses PowerShell execution policy 39->129 52 powershell.exe 39->52         started        54 conhost.exe 39->54         started        56 conhost.exe 42->56         started        58 powershell.exe 42->58         started        process13 process14 60 yolzja.exe 52->60         started        file15 93 C:\Users\user\AppData\...\ZSrfUEzqWPkQbW.exe, PE32 60->93 dropped 149 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 60->149 151 Machine Learning detection for dropped file 60->151 153 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 60->153 155 Adds a directory exclusion to Windows Defender 60->155 64 yolzja.exe 60->64         started        69 powershell.exe 60->69         started        71 schtasks.exe 60->71         started        73 yolzja.exe 60->73         started        signatures16 process17 dnsIp18 95 istanbulcannakliyat.com 46.31.79.106, 49777, 49832, 49835 HOSTLABTR Turkey 64->95 97 192.168.2.1 unknown unknown 64->97 99 mail.istanbulcannakliyat.com 64->99 79 C:\Users\user\AppData\Roaming\...\BffcxxI.exe, PE32 64->79 dropped 111 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 64->111 113 Tries to steal Mail credentials (via file / registry access) 64->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 64->115 117 Installs a global keyboard hook 64->117 75 conhost.exe 69->75         started        77 conhost.exe 71->77         started        file19 signatures20 process21
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a117dbdf80641bf739cf2f35385446d8d840628f0e8d4dd966dee1965ce5982f/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 09:05:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uel5xx4amqn7ooopf42tqvcg3dmeayupb2gu3wlg33qzmxhftaxq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1299373ec40fc1f3f16957338574a9ad51a94e62220cc8c08f1ad81dee443544
AsyncRAT
16fc0cec13d88da3d0a36e4c42e733db8f1e21cafc18fd813a25cd0bc835f35a
AsyncRAT
438e8f8d626ca18bb5fbd3499cad058033b199c865badba6415e362d5b8dcd49
AsyncRAT
4964c618368217328e5fb70c84e047f18e5027ae0e6ea984b1b96c38ffad77c7
AsyncRAT
58cac4ef6c2a2c25e3a50ea093f3bc90933f046f76c14235b70cf6caf1bfd9ca
AsyncRAT
6527e25f86c1902c430fc0e52769359f831365969c35fc12ef837b7b63fcc939
AsyncRAT
cf495989e776f59e020fad15bb34b5f92573f9a1b96a51cdd5a02d31d339d502
AsyncRAT
f85fb30beeceb9e2721aa12deee155bb604c0a364f926da18644af7e6e5c7a25
AsyncRAT
f8d60cc318fc750f965180766b7edb64a81d86845b27b23f8d7bb0296adea2b7
AsyncRAT
+ 2'397 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:asyncrat botnet:default collection keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220407-ntz7psfef4/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AgentTesla
AsyncRat
Malware Config
C2 Extraction:
79.134.225.8:6161
Unpacked files
SH256 hash:
f7abb0f0b4e40b9e951a1d08afb39a77b7060eecefcb28a94d88a8a5f8542710
MD5 hash:
13aa0405d483da6cd3bfff351672b788
SHA1 hash:
facd77910c87ea0eb261caa99009a6ce27bd0a9e
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/57bb3724-c866-4074-859c-6218d019b0ec/
SH256 hash:
65629ab0bf0578ae46d32c7521caed300066c4dba39758447171f4c99dfcf872
MD5 hash:
6339b5a28ce6cfb5bc4caf8cc59d80ff
SHA1 hash:
f81396753d61e5b89599833e4b1278b8fb0449a0
Link:
https://www.unpac.me/results/57bb3724-c866-4074-859c-6218d019b0ec/
SH256 hash:
3a0b1d2a85466d3cabc82d02de18dda189ae2b0e0ca14fac0b93134d26a67349
MD5 hash:
65f9453f583b9262be0c91b3649bdf1e
SHA1 hash:
9952717b4ecf693acd2894a39c5e66b8ac621578
Link:
https://www.unpac.me/results/57bb3724-c866-4074-859c-6218d019b0ec/
SH256 hash:
e11871df824c3130e35f2c94d672404e18ebefddf3172d166f2e640ad3686c73
MD5 hash:
4379771ccd9b927712ef2505214161df
SHA1 hash:
6636b7b80e279de67c60b52277f566463afebf8e
Link:
https://www.unpac.me/results/57bb3724-c866-4074-859c-6218d019b0ec/
SH256 hash:
a117dbdf80641bf739cf2f35385446d8d840628f0e8d4dd966dee1965ce5982f
MD5 hash:
0b1bcc5210e834a31c364cde5f110e77
SHA1 hash:
f441eabe0df3d45ea427d7454b6804f3c4f2930c
Link:
https://www.unpac.me/results/57bb3724-c866-4074-859c-6218d019b0ec/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a117dbdf8064/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a117dbdf80641bf739cf2f35385446d8d840628f0e8d4dd966dee1965ce5982f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/261702/

Comments