MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af5e70e406eafaae114fd627f046eb01da25a587c349f8e21f043877ad19e696. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af5e70e406eafaae114fd627f046eb01da25a587c349f8e21f043877ad19e696
SHA3-384 hash: a0c8439b14a3b79a8e7a79e3ae28769ceb4f53cc5289fde38ae691e4f4df6afee6503b82337a1e4325634dd0fb5006f0
SHA1 hash: 3e763bbcde555c13ba5d3277ccdda5b186c3fc2b
MD5 hash: c3d0ea9d54452d1a6363c03da59b2705
humanhash: texas-whiskey-fourteen-mockingbird
File name:Doc#66202009475352576534465009.pdf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:5'242'880 bytes
First seen:2020-07-03 06:27:17 UTC
Last seen:2020-07-03 07:48:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 98304:9b0u5KzC6I+Bfk6kyLR4/esGv8OvE3r0MCb1LA8PClDdd+iYI7vSezxe5+:p0CQC6xf2esGvbvGsLBYyi57aezQ5+
Threatray 767 similar samples on MalwareBazaar
TLSH 1736027E3992901BC029457584A96DD02770FDE73712CB0E7C85FA8D9E323D77E222A6
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: [104.36.229.108]
Sending IP: 104.36.229.108
From: Purchase <purchase@arabico.ae>
Subject: URGENT QUOTATION - arabico company dubai
Attachment: Doc66202009475352576534465009.pdf.zip (contains "Doc#66202009475352576534465009.pdf.exe")

AsyncRAT C2:
91.193.75.59:9980

Hosted on nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2020-06-12T19:27:12Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18610/
Detection(s):
SecuriteInfo.com.LuheFihaA.9149.24271.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af5e70e406eafaae114fd627f046eb01da25a587c349f8e21f043877ad19e696/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 13:34:00 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5phbzag5l5k4ekp2yt7arxlahncljmhyne7ryq7aq4hpliz42la._file
Verdict:
suspicious
Similar samples:
071fb094c702a43057a4f81b60030352529249fb796780b00bdbbe2fb4316876
AsyncRAT
17c38ccce635b7567fb09e4e48c53b5661bdd29e827917a447f0de7741694d71
AsyncRAT
1c4c55d54ade2d944fd18ed704c01bf9e3e62dabdaa54ee7871794ba9565bf28
AsyncRAT
277bc43d33a51eed72dd34cb154885d184538331cf812fa8276facb5ee2b9e0f
AsyncRAT
37b2228868b961b5d3c37d001a09de919aefe488440d06d12c617ad6e72c79c9
AsyncRAT
582a065ea88a6240e88f101004a754ecc4b82d4ee43f76938c0b4081a9e08f2e
AsyncRAT
5f0f76108593d7ecc8a5932e244c0168947b173bf24369ced9793f9a034d04c5
AsyncRAT
867eb496d9f6122024560c00e0a2fde238fed90558dd0b4b838047c8eed8196c
AsyncRAT
c2e6a6a4dcceeb65c2b769b92223c4b5c6de325709146391a4863dd56f4eb3d1
AsyncRAT
d9edf42affd4dae1e5c0260eb6095e8ea3f03812e2479820dc6a41183adbe827
AsyncRAT
+ 757 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200703-gbk6mm8fj2/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip 44c095e629319cb98889b8736e06c9a6903aa792ddf38c69b1d9731bb9c38153

AsyncRAT

Executable exe af5e70e406eafaae114fd627f046eb01da25a587c349f8e21f043877ad19e696

(this sample)

  
Dropped by
MD5 41c4f4551e8c5e9c919f7d8e56431f4d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 44c095e629319cb98889b8736e06c9a6903aa792ddf38c69b1d9731bb9c38153
Cape
Cape
https://www.capesandbox.com/analysis/18610/

Comments