MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abf50dc501940ce8aec971d88fcf9252a943589f5d44287556e692930c0451dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abf50dc501940ce8aec971d88fcf9252a943589f5d44287556e692930c0451dd
SHA3-384 hash: 2cdde42b65cc687ec5e5200aaf5a456bdaa77a3a917537079f7b59b3abe5a147dd4968101669a8a0721ffc4f3a985bb1
SHA1 hash: 38e022a0ede58cb7bcbc1e0992f12d0a47a0601f
MD5 hash: d5a97ee20fedd500016eb01a4705bdea
humanhash: uniform-foxtrot-jersey-double
File name:abf50dc501940ce8aec971d88fcf9252a943589f5d44287556e692930c0451dd
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:275'539 bytes
First seen:2021-09-21 08:35:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:t8LxBoj/evZJrKCM9UswCRWGYi1hqulZu7pCMy:zjSZKUb3GYwbl02
Threatray 11'296 similar samples on MalwareBazaar
TLSH T17244230072D3CDFBC1B250B14A772761FFB395850232558B9B94EA3B5AB224B5F36682
File icon (PE):PE icon
dhash icon c89c98acacacbcac (31 x Loki, 23 x AgentTesla, 22 x AveMariaRAT)
Reporter JAMESWT_WT
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
abf50dc501940ce8aec971d88fcf9252a943589f5d44287556e692930c0451dd
Verdict:
Malicious activity
Analysis date:
2021-09-21 09:34:31 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/43c26617-6861-4c96-a455-f905020c692e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
asyncrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189780/
Detection(s):
Win.Dropper.Smdd-6956905-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e27131a9-d68f-4a94-b8eb-ea7e90f5cdf7
Result
Threat name:
AgentTesla AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854758
Signature
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487194 Sample: n5JNGKF1Iw Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 10 other signatures 2->52 10 n5JNGKF1Iw.exe 17 2->10         started        process3 file4 32 C:\Users\user\AppData\...\bzngvyqehii.dll, PE32 10->32 dropped 58 Writes to foreign memory regions 10->58 60 Maps a DLL or memory area into another process 10->60 14 MSBuild.exe 2 4 10->14         started        signatures5 process6 dnsIp7 38 45.144.225.194, 2424, 49737, 49739 DEDIPATH-LLCUS Netherlands 14->38 36 C:\Users\user\AppData\Local\Temp\taexrq.exe, PE32 14->36 dropped 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->40 42 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->42 44 Tries to harvest and steal browser information (history, passwords, etc) 14->44 19 cmd.exe 1 14->19         started        file8 signatures9 process10 signatures11 54 Suspicious powershell command line found 19->54 56 Bypasses PowerShell execution policy 19->56 22 powershell.exe 14 19->22         started        24 conhost.exe 19->24         started        process12 process13 26 taexrq.exe 17 22->26         started        file14 34 C:\Users\user\AppData\Local\...\iktpwrmvo.dll, PE32 26->34 dropped 62 Machine Learning detection for dropped file 26->62 64 Writes to foreign memory regions 26->64 66 Maps a DLL or memory area into another process 26->66 30 MSBuild.exe 2 26->30         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abf50dc501940ce8aec971d88fcf9252a943589f5d44287556e692930c0451dd/
Threat name:
Win32.Trojan.LokibotCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 03:19:29 UTC
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vp2q3ribsqgorlwjohmi7t4skkuugwe7lvccq5kw42jjgdaekhoq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
64ad4ef2e4d2826235be5327f8066ac0446f5d53e21f9fed1e48ad03807d32c6
AsyncRAT
837561ccbf6df0ba4970090ebf2bfa4f72bf5dffbe3175b1c78a49fa99b5e55e
AsyncRAT
83bf33f59a2317bc1dd4457798cae79e2d607d511cf12c3c0cff36886fe20d19
AsyncRAT
a94300306564203d77d7112d7abd3931d555ee20de742ffb032e9dc1b5c3e2a0
AsyncRAT
bb5de34eed16e7157d51f93f11e1d135254a429ca8bea94d28e1bc55380ed1ad
AsyncRAT
c185f1b12000aef63c347017f36ab8b9e67a08fcc22e5ed83695c1cc4f168f23
AsyncRAT
c7c288160e686a6f315eb2520abb81f8ce815cd8e06e3adf92e4a437f82fbf50
AsyncRAT
fb81339d0f0f69f966566b9253f11d6b2d3ba3929f4c7407a6e046362334b1ee
AsyncRAT
fc40429e1461e2cc002fdb2b131ca7eadd4f3a688a24130197667c3493213986
AsyncRAT
ff3c4b310b642ebc8de1d558e3386a423f6fbd203a825d5af6ff337594b7d655
AsyncRAT
+ 11'286 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:asyncrat botnet:default keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/210921-khlcmaghe8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
Async RAT payload
AgentTesla
AsyncRat
Malware Config
C2 Extraction:
45.144.225.194:2424
https://api.telegram.org/bot1900836728:AAEDyoYbBJwtt1EA4hdgRlGTN1cq760KPNU/sendDocument
Unpacked files
SH256 hash:
4b724b5ccc2786937c6b0784c85768f4069f0819a6ba7cf55eb1842685739e53
MD5 hash:
6c39416ead9334bf93e0b38ef07f5991
SHA1 hash:
ca64c970efac48357e7f05095e58ee4b81a4c323
Link:
https://www.unpac.me/results/ba8311cf-591e-4260-9d77-7e15b19bdd55/
SH256 hash:
f58aef9b5084efd45c069f21e9f236f307df2ade45642c42c85c33118dd4ea24
MD5 hash:
05afd4a36368b0d1e429497557d9fa6d
SHA1 hash:
5134bb8df73ff16f089d4c5cc4bfc0be5c017865
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/ba8311cf-591e-4260-9d77-7e15b19bdd55/
Parent samples :
74a84bdb0f585210ceec553a0e290a00da96a575733cb6ab0c38f67668cd9979
a94300306564203d77d7112d7abd3931d555ee20de742ffb032e9dc1b5c3e2a0
abf50dc501940ce8aec971d88fcf9252a943589f5d44287556e692930c0451dd
7ce959339fe4a6de5ccd99f6eaadffec65bdfef6fc101621d04fcf48b815596a
SH256 hash:
abf50dc501940ce8aec971d88fcf9252a943589f5d44287556e692930c0451dd
MD5 hash:
d5a97ee20fedd500016eb01a4705bdea
SHA1 hash:
38e022a0ede58cb7bcbc1e0992f12d0a47a0601f
Link:
https://www.unpac.me/results/ba8311cf-591e-4260-9d77-7e15b19bdd55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/abf50dc501940ce8aec971d88fcf9252a943589f5d44287556e692930c0451dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189780/

Comments