MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037
SHA3-384 hash: ed8392da7900def8d5bf9af5ec555c8c8b1dcce7b6096aa37cb6c74497f286375bfd92451a606571a097405b995e27f4
SHA1 hash: d236a410498df38f65892674adcff11252164757
MD5 hash: ee1823ba15cd0d96b5c70a21f290fce9
humanhash: comet-equal-four-delaware
File name:ORDER #21035_pdf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:5'251'547 bytes
First seen:2021-03-05 13:21:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94984869e1c4b93c0069850d9e3b564b (2 x AsyncRAT, 2 x CobaltStrike, 1 x CoinMiner)
ssdeep 98304:TEVJ9FevYYMeBFh5iFIRv2Vb84BnvyBQPnRNJe1B+XKrbFAuacBSA:TSneMeR5U84SGRNJpRua
Threatray 706 similar samples on MalwareBazaar
TLSH ED363399F1B149F1ECF7C939C862C826EF323D1F07549A97128822D75F63B64292B385
Reporter abuse_ch
Tags:AsyncRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server1.mepclogistics.icu
Sending IP: 162.0.237.90
From: Narae BNC Co., Ltd. <narae@naraepack.com >
Reply-To: info@alnajeh.ae
Subject: ORDER #21035
Attachment: ORDER 21035_pdf.img (contains "ORDER #21035_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER #21035_pdf.exe
Verdict:
No threats detected
Analysis date:
2021-03-05 13:32:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f062f732-36a5-4820-a6cc-d57ea24f242b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122478/
Detection(s):
SecuriteInfo.com.PE_File_pyinstaller.16060.21689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a file
Deleting a recently created file
DNS request
Sending an HTTP GET request
Moving a file to the %temp% subdirectory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a custom TCP request
Creating a window
Launching a process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/629796
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 363872 Sample: ORDER #21035_pdf.exe Startdate: 05/03/2021 Architecture: WINDOWS Score: 100 51 rahim321.duckdns.org 2->51 53 chongmei33.publicvm.com 2->53 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Yara detected AntiVM_3 2->61 63 5 other signatures 2->63 11 ORDER #21035_pdf.exe 14 2->11         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->41 dropped 43 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 11->43 dropped 45 C:\Users\user\AppData\Local\...\python27.dll, PE32+ 11->45 dropped 47 8 other files (none is malicious) 11->47 dropped 14 ORDER #21035_pdf.exe 5 11->14         started        process6 dnsIp7 55 transfer.sh 144.76.136.153, 49713, 80 HETZNER-ASDE Germany 14->55 49 C:\Users\user\AppData\...\grab.exebbmfda.tmp, PE32 14->49 dropped 18 cmd.exe 1 14->18         started        file8 process9 process10 20 grab.exe 15 6 18->20         started        24 conhost.exe 18->24         started        file11 37 C:\Users\user\word.exe, PE32 20->37 dropped 39 C:\Users\user\AppData\...\InstallUtil.exe, PE32 20->39 dropped 65 Drops PE files to the user root directory 20->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->67 26 word.exe 14 2 20->26         started        29 cmd.exe 1 20->29         started        signatures12 process13 signatures14 69 Machine Learning detection for dropped file 26->69 71 Writes to foreign memory regions 26->71 73 Allocates memory in foreign processes 26->73 75 2 other signatures 26->75 31 InstallUtil.exe 2 26->31         started        33 conhost.exe 29->33         started        35 reg.exe 1 1 29->35         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=unsm6h4bkir4znxmqrrodsedkz66d6gmxdb3ujm25xxvkiik4a3q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
00383e0cef95de02bac4a4725234f5430202e33f1d80b1dd299d682590e6d2f9
AsyncRAT
11123fd370dfdb5d9d5cade853fa923679377c7791bda00d2f415078e2729e65
AsyncRAT
30eb8727af3b8a2f4551574c7d826e9f27480e79d242b92d392b1f64091acf12
AsyncRAT
314ce9b62cecb9435d9ff2338943e4e784cbfbaf9a65dbda7fe1064f477afe41
AsyncRAT
3dcdb90a6140612a5ca5e3a3e7efbc82c43766355399965a200a5753fd1273ad
AsyncRAT
485fcf4c2834e20d71b6765eccd79f6b0880d6a9fdc5d3e519a943862e9b8246
AsyncRAT
6084cf861e6b10480c4d05cd3aefb10a92820b191d1a8813154155fa1ca7a88c
AsyncRAT
9cc659b2ca813ac76fd302254522e11352627942aa96a256da9f82ea269e6d94
AsyncRAT
ea1213c0a684662e8305cfe1c6eeebbb12a9d1404e7571438d3730cc1df1caab
AsyncRAT
f42c71d191748551be0bbb356e4dc638c60fbdc906e7d6536ed4512c5c7eab3e
AsyncRAT
+ 696 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat agilenet persistence pyinstaller rat
Link:
https://tria.ge/reports/210305-q77anx2ngn/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:49703
chongmei33.publicvm.com:49746
185.165.153.116:2703
185.165.153.116:49703
185.165.153.116:49746
54.37.36.116:2703
54.37.36.116:49703
54.37.36.116:49746
185.244.30.92:2703
185.244.30.92:49703
185.244.30.92:49746
dongreg202020.duckdns.org:2703
dongreg202020.duckdns.org:49703
dongreg202020.duckdns.org:49746
178.33.222.241:2703
178.33.222.241:49703
178.33.222.241:49746
rahim321.duckdns.org:2703
rahim321.duckdns.org:49703
rahim321.duckdns.org:49746
79.134.225.92:2703
79.134.225.92:49703
79.134.225.92:49746
37.120.208.36:2703
37.120.208.36:49703
37.120.208.36:49746
178.33.222.243:2703
178.33.222.243:49703
178.33.222.243:49746
87.98.245.48:2703
87.98.245.48:49703
87.98.245.48:49746
Unpacked files
SH256 hash:
a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037
MD5 hash:
ee1823ba15cd0d96b5c70a21f290fce9
SHA1 hash:
d236a410498df38f65892674adcff11252164757
Link:
https://www.unpac.me/results/448aed35-72f2-45bd-97fb-687d7efa6bba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

img 4f891f878e1cbb6170fc905c2d8317da6632596ad2ff3eba675ef327ac2ad5f1

AsyncRAT

Executable exe a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037

(this sample)

  
Dropped by
MD5 33162639efbcbc41d8870e1aa9f8a945
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/122478/
  
Dropped by
SHA256 4f891f878e1cbb6170fc905c2d8317da6632596ad2ff3eba675ef327ac2ad5f1

Comments