MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a64ac7715f779b591f789eb4e66a54a8e8a26855a89089ee6e6080f61231a7c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a64ac7715f779b591f789eb4e66a54a8e8a26855a89089ee6e6080f61231a7c9
SHA3-384 hash: 7ae6a0a6c8bab236ead0bad569f337bf3f0fcb23931cb8e6d65d268fb6a203e3ecac59ab113fe7e074e5b624111afd8a
SHA1 hash: 011d411b3a0829f9cb468853e20824d0baad2173
MD5 hash: 2f9ef6a1d891c9a6d3eb9cf3523ab799
humanhash: pizza-eleven-cola-double
File name:STW-PO#121020_Inquiry.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:452'096 bytes
First seen:2020-10-12 08:41:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:iWl2Iaf11H89LoyDPVncV0Sqxh2dh59dH8:iJld18LoyDGV0Sqxh2dhHd
Threatray 352 similar samples on MalwareBazaar
TLSH 6AA4E0323764EB26E53EE7BD183910042BF1B496EB11D36ABD9580DD09B6F85C762B03
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

From: "LyndSea" <hr@leasano.pw>
Reply-To: "LyndSea" <jack.piaau@gmail.com>
Subject: RE: Strapworks Drawing + PO Inquiry
Attachment: STW-PO121020_Inquiry.iso (contains "STW-PO#121020_Inquiry.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
DNS request
Connection attempt
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488190
Signature
Connects to a pastebin service (likely for C&C)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a64ac7715f779b591f789eb4e66a54a8e8a26855a89089ee6e6080f61231a7c9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 08:43:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzfmo4k7o6nvsh3yt22om2suvduke2cvvciit3tomcapmerru7eq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0c34d4763fc968ccbe9f33dec2ae9e3e132a61b40ffc93cc22f337a0758c0279
AsyncRAT
222cdcb38abb9e24d7e198943ded854951b855b0aa02b396959cfe2a51a4a078
AsyncRAT
430bbefe89bad382de0a7831e7afc238f397a930a235d208585fb2bfb0b950bc
AsyncRAT
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
AsyncRAT
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
AsyncRAT
7caf87ac1666f10cbbff4cc01d51ec4df556908b2d8d55d5c4f0f3724dceded1
AsyncRAT
bcb474ac919440674135c673d8c6a0fc8015a63a15b2849c3346f74a716b5249
AsyncRAT
c8741ad3130b95d1df602e99ed65489df788819dabe8907f2a449197e8ba97ef
AsyncRAT
e132699f63854eb3c66be165867f2cafc37d29a8a3a4ca3c4c6949ed42ddde95
AsyncRAT
f0006754d451556014c91039915ea9505f348f80538e536d30b75c5ef252d73d
AsyncRAT
+ 342 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat family:asyncrat
Link:
https://tria.ge/reports/201012-sx4gzr7vl2/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
null:null
Unpacked files
SH256 hash:
a64ac7715f779b591f789eb4e66a54a8e8a26855a89089ee6e6080f61231a7c9
MD5 hash:
2f9ef6a1d891c9a6d3eb9cf3523ab799
SHA1 hash:
011d411b3a0829f9cb468853e20824d0baad2173
Link:
https://www.unpac.me/results/d527c8c3-d912-4e20-82e5-d4d828e49ddf/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/d527c8c3-d912-4e20-82e5-d4d828e49ddf/
SH256 hash:
1a3af9e398b24f1228b562d0ab89be9418b7f9dc5c83d7e5e4584389fc5449f6
MD5 hash:
aa1c1fbdc598afb725409585a570c159
SHA1 hash:
2a67f7c7b8a3685831209cef485f9708981dddb9
Link:
https://www.unpac.me/results/d527c8c3-d912-4e20-82e5-d4d828e49ddf/
SH256 hash:
aaf25535feeef2ec4a4a41128f5f798079f2faa3b2f4143ea15a3cf9fca552f7
MD5 hash:
7894f94895821bf10998e0dae888d6b4
SHA1 hash:
bef3c0bf0c8b010430c51ed0a36e3ce6dac39fb5
Link:
https://www.unpac.me/results/d527c8c3-d912-4e20-82e5-d4d828e49ddf/
SH256 hash:
109065a610edf41c7eda9887e40d9e0cb262691466bb14892851748b1cb83973
MD5 hash:
63dfa226598d0f1854bad04e4145e08c
SHA1 hash:
c4e564321f83610a2493886970e974536b17c739
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/d527c8c3-d912-4e20-82e5-d4d828e49ddf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a64ac7715f779b591f789eb4e66a54a8e8a26855a89089ee6e6080f61231a7c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a4e514e927c7ce7a435fcce7b9ac78bc

AsyncRAT

Executable exe a64ac7715f779b591f789eb4e66a54a8e8a26855a89089ee6e6080f61231a7c9

(this sample)

  
Dropped by
MD5 a4e514e927c7ce7a435fcce7b9ac78bc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70001/

Comments