MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b12ed3f10bbc4e4ade3f53856b19c7ab878eb023389a8b6c4c3c495a0ea97f86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b12ed3f10bbc4e4ade3f53856b19c7ab878eb023389a8b6c4c3c495a0ea97f86
SHA3-384 hash: 9e6b16e61dce928a68abc58f5be36a88de9a0dfa5a38cdaa6215861473d2138364123dc92fc1895321426d520bdd61cc
SHA1 hash: 8133ec36f8bbc7a0d4290aef2b3134db6bd2a069
MD5 hash: 8e8fe0ec459352fcea811a941ff14888
humanhash: autumn-cold-three-eleven
File name:SCAN_00210.EXE
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:44'544 bytes
First seen:2022-04-12 06:37:47 UTC
Last seen:2022-04-12 07:38:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 384:Nni/7h7+loct/n7kXHwVJffffft+SnJyXnLHHJCU8rUUvYxqS/T+zRmhmq3jb34X:N4UewcW0LHB8rUUGruTgDY
Threatray 1'328 similar samples on MalwareBazaar
TLSH T153134AD6B7540B32CDE907364CF253302B77ED55AAF3EB0B588871551E73F804682AAA
File icon (PE):PE icon
dhash icon 30f8c4d4dcc8e0e0 (1 x AsyncRAT)
Reporter cocaman
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SCAN_00210.EXE
Verdict:
Malicious activity
Analysis date:
2022-04-13 05:49:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0bf45db6-9cf3-40cc-8f47-df7796415a2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262875/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50115848.31251.13088.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installutil.exe obfuscated packed
Link:
https://www.filescan.io/uploads/62551e4dffe27d5119b264d9/reports/69cd0bc7-88b2-4b5b-87f9-f166948cdc5c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27b5641e-8c69-48b7-8f08-9f143204660d
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975099
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Passes username and password via HTTP get
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607586 Sample: SCAN_00210.EXE Startdate: 12/04/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 10 other signatures 2->60 7 SCAN_00210.EXE 16 7 2->7         started        12 Vneqh.exe 14 3 2->12         started        14 Vneqh.exe 2->14         started        process3 dnsIp4 44 idea-time.com 31.170.166.136, 443, 49730, 49771 AS-HOSTINGERLT United States 7->44 46 192.168.2.1 unknown unknown 7->46 30 C:\Users\user\AppData\Roaming\...\Vneqh.exe, PE32 7->30 dropped 32 C:\Users\user\...\Vneqh.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\AppData\...\SCAN_00210.EXE.log, ASCII 7->34 dropped 62 Writes to foreign memory regions 7->62 64 Injects a PE file into a foreign processes 7->64 16 InstallUtil.exe 14 15 7->16         started        20 cmd.exe 1 7->20         started        22 InstallUtil.exe 7->22         started        24 3 other processes 7->24 66 Machine Learning detection for dropped file 12->66 file5 signatures6 process7 dnsIp8 36 api.telegram.org 149.154.167.220, 443, 49805 TELEGRAMRU United Kingdom 16->36 38 api.anonfile.com 45.154.253.153, 443, 49804 SVEASE Sweden 16->38 40 freegeoip.app 188.114.96.7, 443, 49798 CLOUDFLARENETUS European Union 16->40 48 Tries to steal Mail credentials (via file / registry access) 16->48 50 Tries to harvest and steal browser information (history, passwords, etc) 16->50 52 Tries to harvest and steal Bitcoin Wallet information 16->52 26 conhost.exe 20->26         started        28 timeout.exe 1 20->28         started        42 severdops.ddns.net 62.197.136.69, 49795, 6204 SPRINTLINKUS Netherlands 22->42 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b12ed3f10bbc4e4ade3f53856b19c7ab878eb023389a8b6c4c3c495a0ea97f86/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 06:38:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wexnh4ilxrhevxr7kocwwgohvody5mbdhcniw3cmhrevudvjp6da._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0332caaf051fed36cd7c7cd8c8ee52b196238673afa8f432873fbdf43336a31b
AsyncRAT
182280b43ae55b3458fe8d5ea1fe4ffcdd1c00fbc0f21cdcfde29f8686d245f9
AsyncRAT
1c476c0784486ed82583ae459f3ff12b42de483e19116ac879cfafe2d75d8d0c
AsyncRAT
1c680ca848d97f43e8a73d323f694b0a6701f14af19ef0da1e99e7eac9af8a65
AsyncRAT
20d4be06e6eb3b24ad927696a212f26651e0bbba4f04078cc2d6b67679ab48e5
AsyncRAT
5cfe7a77271ab8187988cdd1a9259c16cb636dcf6c63aceb977f62aa570ab419
AsyncRAT
c9aa37b14d02530c430923c6f758158f1116109efad42f3cbd2eb965aa1c3b1f
AsyncRAT
eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9
AsyncRAT
f9f2aa7c6b6eb3e517db83b183bc85029fe0592ad99885e5a63e692215f0722c
AsyncRAT
+ 1'318 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat collection persistence rat spyware suricata
Link:
https://tria.ge/reports/220412-hd24gagacl/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
AsyncRat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
Unpacked files
SH256 hash:
b12ed3f10bbc4e4ade3f53856b19c7ab878eb023389a8b6c4c3c495a0ea97f86
MD5 hash:
8e8fe0ec459352fcea811a941ff14888
SHA1 hash:
8133ec36f8bbc7a0d4290aef2b3134db6bd2a069
Link:
https://www.unpac.me/results/c8e86df7-ca34-4fd9-ad38-0851f5761a75/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b12ed3f10bbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b12ed3f10bbc4e4ade3f53856b19c7ab878eb023389a8b6c4c3c495a0ea97f86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

img 55e287e19b6c08d2555133320f79df24db4ef1f09649f014a5817f890faf7473

AsyncRAT

Executable exe b12ed3f10bbc4e4ade3f53856b19c7ab878eb023389a8b6c4c3c495a0ea97f86

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 55e287e19b6c08d2555133320f79df24db4ef1f09649f014a5817f890faf7473
Cape
Cape
https://www.capesandbox.com/analysis/262875/

Comments