MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b465151f3d0ce34aad5f35ff2647138b763f133e75d01336e9191185f58b0931. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b465151f3d0ce34aad5f35ff2647138b763f133e75d01336e9191185f58b0931
SHA3-384 hash: 0291a3861d60b490a14ecb73c95cb0a4f747594a0b69b3c9ae67574cc4cd7917e3aff2a1260046d2cc6d22b241917415
SHA1 hash: f1409b245e7da8bfe3370c3011e8d0b422a1f7f5
MD5 hash: 7821c8246c7e5af805c90fa2b4bc7bf3
humanhash: fifteen-september-two-carpet
File name:Order 00-06022784.pdf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'315'328 bytes
First seen:2021-01-19 17:54:56 UTC
Last seen:2021-01-19 19:55:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:cwhlpwTOHKmeUvXrQaaryN+GFaT+YiuVUW:cwmCqmeUvzaryN7JZSUW
Threatray 564 similar samples on MalwareBazaar
TLSH 4355939C716C71EEC8D7C4629AAB1C64EA536C7A431B410390273DB9BA7C897CF147B2
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: yahoo.com
Sending IP: 178.211.52.231
From: Derek - purchase dept <sales.bmt-trading@yahoo.com>
Subject: Purchase order 00-06022784 01/19/2021
Attachment: 00-06022784.zip (contains "Order 00-06022784.pdf.exe")

AsyncRAT C2:
79.134.225.23:30493

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order 00-06022784.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 18:07:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c9b2e17f-faba-439d-84d2-b247f5be6ae6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112973/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.7674.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/585431
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b465151f3d0ce34aad5f35ff2647138b763f133e75d01336e9191185f58b0931/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 17:55:08 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrsrkhz5btruvlk7gx7smrytrn3d6ez6oxibgnxjdeiyl5mlbeyq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0a9e7542b65b3a7c5e1a11a2b23c2366fd53bff3205bb9d1656d4e32d1f0068b
AsyncRAT
2c8c5c5e5990da4a2af218cfece6afda3f4830be6605b9767adbfbde2e5cd276
AsyncRAT
395fdb688d7d8085e2636fb26e7e4d5004ae3ec20db26edeee1e0a19d5872e07
AsyncRAT
65c205b93cf9c6d9e9acd5336e010a43309688bfc2e28cffbb5ba8973757fd49
AsyncRAT
68bf0a42854ac13fe13a75bb213f51934a3edc0fa7a0732ddb12a68699619474
AsyncRAT
867eb496d9f6122024560c00e0a2fde238fed90558dd0b4b838047c8eed8196c
AsyncRAT
8dd3b9fb0158903433d23f879d07820b8110a4b6417f3deda72342c2f698384e
AsyncRAT
c853a4beac9f6fcea2bb9ad13b17eafd6605cac76899edbecd88d4f981d9f432
AsyncRAT
e452ae28b674ac4715a811e24d502948e94489ccb1ed14ca49d3ed8ab395f85c
AsyncRAT
fc926b2871dc293ad75ff0caf3863adc75b9342a34c1965c3991f512a2f666c8
AsyncRAT
+ 554 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210119-rnvffteyk6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
79.134.225.23:30493
Unpacked files
SH256 hash:
38849e82a4cd6a71ba4590dd45ea85daf425d98b46098096f104fe2895b42c56
MD5 hash:
3cef12c21d7ea7825dab3e5f05a3937e
SHA1 hash:
f7e38adb5111fb7f296a223775af02c32b3d0e21
Link:
https://www.unpac.me/results/fb217dd0-6925-4d96-aebf-c6e19882500d/
SH256 hash:
df2807abad5cc14bee9a2149136e8a3100e382daf6e8c8edc2152d41c372b386
MD5 hash:
7ef1b401eaf416f216d8d3fa36d42366
SHA1 hash:
ce5a2394ce3b79dcaa878d7a1df99f10f170bbcf
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/fb217dd0-6925-4d96-aebf-c6e19882500d/
Parent samples :
3dd4c0a246882a35140b2476292a4070038e90755d0f9d9da65daa06a99880f8
b465151f3d0ce34aad5f35ff2647138b763f133e75d01336e9191185f58b0931
SH256 hash:
366da8a6cbd04282ab6ef9c2ffc25d4aee0e52461da78ecc17ecba2db39ed834
MD5 hash:
460571c0e5a72a62cd42adc66616f197
SHA1 hash:
88f9305bd2a88cac12574fa86922a1b9c63dd32c
Link:
https://www.unpac.me/results/fb217dd0-6925-4d96-aebf-c6e19882500d/
SH256 hash:
b465151f3d0ce34aad5f35ff2647138b763f133e75d01336e9191185f58b0931
MD5 hash:
7821c8246c7e5af805c90fa2b4bc7bf3
SHA1 hash:
f1409b245e7da8bfe3370c3011e8d0b422a1f7f5
Link:
https://www.unpac.me/results/fb217dd0-6925-4d96-aebf-c6e19882500d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b465151f3d0ce34aad5f35ff2647138b763f133e75d01336e9191185f58b0931

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip 2ff41edfa33478dbda69bc9ba6fc3c059822895a47ab8cc9f2d05d227e805313

AsyncRAT

Executable exe b465151f3d0ce34aad5f35ff2647138b763f133e75d01336e9191185f58b0931

(this sample)

  
Dropped by
MD5 8d1da2f6bd08f25dfca7552502a36418
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2ff41edfa33478dbda69bc9ba6fc3c059822895a47ab8cc9f2d05d227e805313
Cape
Cape
https://www.capesandbox.com/analysis/112973/

Comments