MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8
SHA3-384 hash: 866ad4ea77f16b58464f2b33ab9c84190ead2122e041d0382e434d39014af9ce91d3da47108f03b12ede6acd7e64b3d6
SHA1 hash: 63a5eb6563208137d12dd8fa4ede2e2c98e70033
MD5 hash: 9bc1a47fdbd32cc92c94a9d1a84597ac
humanhash: texas-venus-one-georgia
File name:Order Sheet.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'758'144 bytes
First seen:2021-05-06 00:45:42 UTC
Last seen:2021-05-06 01:01:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:o7UvhdVnsXiEc4kmfFBF7QUUU13UZUHpOF8U2ySqUNGUZuiTGoXUOt2qUFRKhTCs:o7UvXFz
Threatray 219 similar samples on MalwareBazaar
TLSH 06D5DC311DE14F41A636317A7F29F0DB1D0B672681B2C4F865581B9ACB393DA4EB43B2
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
185.140.53.139:2404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.139:2404 https://threatfox.abuse.ch/ioc/29902/

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151109/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Sending a UDP request
Creating a file in the Windows subdirectories
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/716497
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Tries to delay execution (extensive OutputDebugStringW loop)
Uses dynamic DNS services
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 407286 Sample: Order Sheet.exe Startdate: 07/05/2021 Architecture: WINDOWS Score: 100 59 skylucky.duckdns.org 185.140.53.139, 2404, 49727, 49731 DAVID_CRAIGGG Sweden 2->59 61 192.168.2.1 unknown unknown 2->61 63 prda.aadg.msidentity.com 2->63 65 Found malware configuration 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 Sigma detected: Powershell adding suspicious path to exclusion list 2->69 71 13 other signatures 2->71 8 Order Sheet.exe 9 11 2->8         started        12 svchost.exe 2->12         started        14 1Ua9ea19ce4Va7ea83fucAac58.exe 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 43 C:\Windows\Cursors\...\svchost.exe, PE32 8->43 dropped 45 C:\Users\...\1Ua9ea19ce4Va7ea83fucAac58.exe, PE32 8->45 dropped 47 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->47 dropped 55 2 other files (1 malicious) 8->55 dropped 73 Creates an autostart registry key pointing to binary in C:\Windows 8->73 75 Adds a directory exclusion to Windows Defender 8->75 77 Hides threads from debuggers 8->77 79 Injects a PE file into a foreign processes 8->79 18 cmd.exe 8->18         started        20 powershell.exe 8 8->20         started        22 powershell.exe 9 8->22         started        24 8 other processes 8->24 49 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 12->49 dropped 81 Multi AV Scanner detection for dropped file 12->81 83 Machine Learning detection for dropped file 12->83 51 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->51 dropped 53 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 16->53 dropped signatures6 process7 file8 27 conhost.exe 18->27         started        29 timeout.exe 18->29         started        31 conhost.exe 20->31         started        33 conhost.exe 22->33         started        57 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 24->57 dropped 35 AdvancedRun.exe 24->35         started        37 conhost.exe 24->37         started        39 conhost.exe 24->39         started        41 4 other processes 24->41 process9
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzwuws4jmvh32nogtqc2qx6uuk4e5xlqsh76g4xuxjyrlqvy7p4a._file
Verdict:
malicious
Similar samples:
0024c03b214910f21e99a8444a63a33f07ee1fb54aa63a9d88e4cc97e00d0bb7
AsyncRAT
492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad
AsyncRAT
5a098ce0200bbbbe0da398c577353e6c4838da7bb2bd55d62f032211125ab92a
AsyncRAT
84858fb9b1e2533886a654de52671d91b9d9d7f77ecc7a883d6f03821376b3c3
AsyncRAT
adbfaef61c436d79f0ab2c890570f73ae979609feafd21d9932e86641aac05dd
AsyncRAT
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
AsyncRAT
c8d3f11a26166f4c493d3160f23ff04bfc500895c3d644773006536d8f647189
AsyncRAT
cb6b64368f82e2596852532158f265a5b5d889abfce8d3025f5c8177f3462e33
AsyncRAT
cfd58b76ee10d732160ae05b4cb87e95713ad0ef8b17d77f0bb33b31ac4e6e18
AsyncRAT
e111f6f2fa1deba59df581d3c6ef269c3e3628b2649cb728e30092d8d30e258c
AsyncRAT
+ 209 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat evasion persistence rat trojan
Link:
https://tria.ge/reports/210506-7mzvazp7k2/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Async RAT payload
Nirsoft
AsyncRat
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
skylucky.duckdns.org:2404
Unpacked files
SH256 hash:
fcebf2e35d68757cd876346b1d40d7f5e40b9e35cee0eb401bcb4b95143df478
MD5 hash:
b22a2313e07b8c9122414ba0f4169b74
SHA1 hash:
e4ae4fcf74fb1f549ac8cb2a199b02d5700fb507
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/e1d1bbaa-204d-4c29-8cb6-89cb512b448a/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/e1d1bbaa-204d-4c29-8cb6-89cb512b448a/
SH256 hash:
5d97a7e2ddf666cd09b8c80467a03a7f66c8abaa6551e63f32b5be40ddf9bcfd
MD5 hash:
e7649fec6bcbd27b97558881b4ba82a3
SHA1 hash:
2a1d0d3cf39a0ad9ab0c34888de889fc2ab523da
Link:
https://www.unpac.me/results/e1d1bbaa-204d-4c29-8cb6-89cb512b448a/
SH256 hash:
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8
MD5 hash:
9bc1a47fdbd32cc92c94a9d1a84597ac
SHA1 hash:
63a5eb6563208137d12dd8fa4ede2e2c98e70033
Link:
https://www.unpac.me/results/e1d1bbaa-204d-4c29-8cb6-89cb512b448a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151109/

Comments