MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7a5d46039a2203b38b2d56f4f1509ab9f6a64f9614817422871f1d3e5a7a889. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7a5d46039a2203b38b2d56f4f1509ab9f6a64f9614817422871f1d3e5a7a889
SHA3-384 hash: 9019e3ca1f02715de9dba9d39b2094aa1aed0cf4f29dd087b598758bacadd9653621c57457ec8fc38fe04a8fed8e61b2
SHA1 hash: 8bcf5d8ce6b33a637daa7764e104adcf8289134e
MD5 hash: 9458719b29846d25e9513c8ac3185be9
humanhash: early-six-berlin-blue
File name:Overdue unpaid amount.pdf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:303'616 bytes
First seen:2022-01-11 13:27:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:gkvI8sKkqPHbgaeOW6oPMjz3qmZqrdWIo/+m8N63AivrDgb:FvI8s0PHEaeOW6oPM3qmaAIo/+m8NBiX
TLSH T13F5401013BFA8814D6798F7A5EB380058A70F81B6942FBEF1DC5976E247970285C1F6B
Reporter GovCERT_CH
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Overdue unpaid amount.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-01-11 13:30:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1d575975-8bdf-498d-a739-fc05db995896

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/218216/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
83%
Tags:
cmd.exe control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61dd85e6e997359713dd081f/reports/19d33a97-9b01-40dd-9438-632ba984f979/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14cec9da-2035-4e67-acfa-89868373f86c
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/918352
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 550830 Sample: Overdue unpaid amount.pdf.exe Startdate: 11/01/2022 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Multi AV Scanner detection for dropped file 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 12 other signatures 2->38 7 Overdue unpaid amount.pdf.exe 7 2->7         started        process3 file4 22 C:\Users\user\AppData\...\TSZIEdcfbOmrvW.exe, PE32 7->22 dropped 24 C:\...\TSZIEdcfbOmrvW.exe:Zone.Identifier, ASCII 7->24 dropped 26 C:\Users\user\AppData\Local\...\tmp235A.tmp, XML 7->26 dropped 28 C:\...\Overdue unpaid amount.pdf.exe.log, ASCII 7->28 dropped 40 Adds a directory exclusion to Windows Defender 7->40 11 Overdue unpaid amount.pdf.exe 2 7->11         started        14 powershell.exe 24 7->14         started        16 schtasks.exe 1 7->16         started        signatures5 process6 dnsIp7 30 194.147.140.15, 3030, 49687, 49688 PTPEU unknown 11->30 18 conhost.exe 14->18         started        20 conhost.exe 16->20         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7a5d46039a2203b38b2d56f4f1509ab9f6a64f9614817422871f1d3e5a7a889/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-11 12:03:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6s5iybzuiqdwofs2vxu6fijvopwuzhzmfeboqriohy5hznhvceq._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/220111-qqnqlsfgd2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Unpacked files
SH256 hash:
9ecb3c903f8cc1bcf8674587372a63c5d96128758bf86efe78b22a524c96983b
MD5 hash:
cea81e9c274a995b80616bac7251cf2f
SHA1 hash:
ad0583db70ae5f6cadac2eed59d641b814f1ecbc
Link:
https://www.unpac.me/results/2d7b8e98-6737-470b-997e-b256070c5477/
SH256 hash:
4ae0cb947b15fde5d3098d80fdd8d5056994afe47c0791638af24a140cb05491
MD5 hash:
91363484d5ee711f548dcb2893941d7d
SHA1 hash:
398c3a8a123e494d7821688d958003dccae59c7f
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/2d7b8e98-6737-470b-997e-b256070c5477/
Parent samples :
72f8238fbd47330213bafbdf4334207a27e10b5507cfd9d152828bfc349cabdb
a7a5d46039a2203b38b2d56f4f1509ab9f6a64f9614817422871f1d3e5a7a889
cc6ecb1abf601cdb52778e27f966fc67d4912af696f9649413ecc19ffbad9f24
SH256 hash:
a3faeb07bf408645e88f8ea9a0b6a3455153dee76abe412219d5a3aa5c28fe2e
MD5 hash:
a3f28bdfabe794d4ae5c5d614a606ba0
SHA1 hash:
2e8c071e28f038ce11a8137f50af5255c9d7ae3b
Link:
https://www.unpac.me/results/2d7b8e98-6737-470b-997e-b256070c5477/
SH256 hash:
a7a5d46039a2203b38b2d56f4f1509ab9f6a64f9614817422871f1d3e5a7a889
MD5 hash:
9458719b29846d25e9513c8ac3185be9
SHA1 hash:
8bcf5d8ce6b33a637daa7764e104adcf8289134e
Link:
https://www.unpac.me/results/2d7b8e98-6737-470b-997e-b256070c5477/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a7a5d46039a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7a5d46039a2203b38b2d56f4f1509ab9f6a64f9614817422871f1d3e5a7a889

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe a7a5d46039a2203b38b2d56f4f1509ab9f6a64f9614817422871f1d3e5a7a889

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/218216/

Comments