MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a487a9e3d3b6e246445818eef1ccfa3398c63b3a2195325431fd54adc35ea6d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a487a9e3d3b6e246445818eef1ccfa3398c63b3a2195325431fd54adc35ea6d1
SHA3-384 hash: 80d451987da5ef990d8a03846195182642567886e75c870ffe746748fe743954e957255f776cba1a664d21f7dc946b7d
SHA1 hash: 388db7952de25d2e601ce67c00ff29553fc71a67
MD5 hash: 05105036a01bb0f7fff05264d83f244f
humanhash: oscar-california-mississippi-three
File name:SecuriteInfo.com.Trojan.GenericKD.45685113.32456.8370
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:13'312 bytes
First seen:2021-02-06 11:50:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'880 x AgentTesla, 19'800 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 384:f6XR5DVJ3peh6LUtnsqMBzBEeC+dqf4dK:faHDVJ3+GfzaeC+dhd
Threatray 587 similar samples on MalwareBazaar
TLSH 7A52F92507D4C3BADCBF1BF248B392410B71ED478927E66E99C4A12A5E6364087E3772
Reporter SecuriteInfoCom
Tags:AsyncRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.45685113.32456.8370
Verdict:
Malicious activity
Analysis date:
2021-02-06 11:58:00 UTC
Tags:
loader
Link:
https://app.any.run/tasks/be0b6819-30ad-458c-89d3-11ed798e9b5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115928/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45685113.32456.8370.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
75 / 100
Link:
https://www.joesandbox.com/analysis/601073
Signature
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 349556 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 06/02/2021 Architecture: WINDOWS Score: 75 36 f2iu21id1ld1.ddns.net 2->36 38 cdn.onenote.net 2->38 46 Antivirus detection for dropped file 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 8 other signatures 2->52 9 SecuriteInfo.com.Trojan.GenericKD.45685113.32456.exe 15 4 2->9         started        13 Runtime Broker.exe 14 2 2->13         started        signatures3 process4 dnsIp5 40 gavrilobtcapikey2884238984928.netsons.org 89.40.172.121, 49724, 80 ASSUPERNOVAIT Italy 9->40 32 C:\Users\user\Desktop\Runtime Broker.exe, PE32 9->32 dropped 15 Runtime Broker.exe 7 9->15         started        42 f2iu21id1ld1.ddns.net 79.44.112.200, 8080 ASN-IBSNAZIT Italy 13->42 44 pastebin.com 104.23.98.190, 443, 49729 CLOUDFLARENETUS United States 13->44 file6 process7 file8 34 C:\Users\user\AppData\...\Runtime Broker.exe, PE32 15->34 dropped 18 cmd.exe 1 15->18         started        20 cmd.exe 1 15->20         started        process9 process10 22 Runtime Broker.exe 2 18->22         started        24 conhost.exe 18->24         started        26 timeout.exe 1 18->26         started        28 conhost.exe 20->28         started        30 schtasks.exe 1 20->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a487a9e3d3b6e246445818eef1ccfa3398c63b3a2195325431fd54adc35ea6d1/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-02-04 03:16:48 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
029afe41cf483d777bfa2608cf6b14d9b69faab8b09b94c693f609e78a996b58
AsyncRAT
0cbaa31d4f7ff28a87e5d22237e7c46ed5daf49f4d288349fdaf0275a99fd1fc
AsyncRAT
1ba1a86e6f5e0e1e2f1a596018465345a90822163264c05647e8155edb88ce64
AsyncRAT
44f4f177451fb372e7bdb38a81c93bf82de9e8e1f64622fa09e591afb48f3b1a
AsyncRAT
7b8737c1334e0ed07632ae06bf455a47ca63ed00b8dc3633d09b028c91868405
AsyncRAT
8729750b31237377d6416a747798d27c796f1a33fbc13c0b5274346ecb501ee4
AsyncRAT
960ee0a08a3b542c30baa19546f38f1eeeab56543997dc338e79273b0dcecc23
AsyncRAT
993f01148133d8a9209f21bd9336ad925311dd05990ea6b895754e4601a9444c
AsyncRAT
a6184cc11ae5e53a2c52fc668690561b0ed9b7217e0ff7c0b236bce30fba1da3
AsyncRAT
f0ed88c2acc141ae677f7b1b99840a43cf593557dfec56d35b70b14f52521c2f
AsyncRAT
+ 577 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat ransomware rat
Link:
https://tria.ge/reports/210206-acpxd5vv8a/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
null:null
Unpacked files
SH256 hash:
a487a9e3d3b6e246445818eef1ccfa3398c63b3a2195325431fd54adc35ea6d1
MD5 hash:
05105036a01bb0f7fff05264d83f244f
SHA1 hash:
388db7952de25d2e601ce67c00ff29553fc71a67
Link:
https://www.unpac.me/results/db77645e-8fe8-4175-8deb-561ca31cfc14/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a487a9e3d3b6e246445818eef1ccfa3398c63b3a2195325431fd54adc35ea6d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe a487a9e3d3b6e246445818eef1ccfa3398c63b3a2195325431fd54adc35ea6d1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/992209/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115928/

Comments