MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b85d12e9d145f67b2e3177e70b694b364363812001d84709c0d6f29ce4f5341f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b85d12e9d145f67b2e3177e70b694b364363812001d84709c0d6f29ce4f5341f
SHA3-384 hash: cd22a0c77ee31b1b91463949ef35deeed807384f740e6f18c24d744be5d6de7f36b70c4f7a04fbe165c0eae8839e9618
SHA1 hash: b5fdc2ec91751bde8f93a5f66c0f280fc83f221c
MD5 hash: b63f60dd1189f5e440f3948c03293780
humanhash: april-mockingbird-black-fanta
File name:SecuriteInfo.com.Mal.Generic-S.247.4447
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:324'608 bytes
First seen:2021-02-27 11:49:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5be9911699ff7cd3db3e8298f417173 (1 x AsyncRAT)
ssdeep 6144:Ap2dYlUst8yGhRh9BdxQZKPbszLgIxEVpu6apviQ5QYUoSw8Yaa:82AYbt9BvECb085VQQYUoSs
Threatray 920 similar samples on MalwareBazaar
TLSH 48641209395C1FE0FFE06DF30927E2C95AA88E2239A09196D4F4F47BB4752A663C7171
Reporter SecuriteInfoCom
Tags:AsyncRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Mal.Generic-S.247.4447
Verdict:
Malicious activity
Analysis date:
2021-02-27 11:51:26 UTC
Tags:
opendir loader trojan rat asyncrat
Link:
https://app.any.run/tasks/e6348c7d-45db-4097-a6f5-561b95602580

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119585/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.Mal.Generic-S.247.4447.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending an HTTP GET request
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file in the %temp% directory
Creating a file
Launching a process
Sending a UDP request
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/620376
Signature
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Drops PE files to the startup folder
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359181 Sample: SecuriteInfo.com.Mal.Generi... Startdate: 27/02/2021 Architecture: WINDOWS Score: 78 77 Antivirus detection for URL or domain 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 5 other signatures 2->83 8 SecuriteInfo.com.Mal.Generic-S.247.exe 3 10 2->8         started        13 Sus.exe 6 2->13         started        15 winmnt.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 73 103.212.180.246, 49712, 49719, 49731 SAN-AS-APSAN-IDCTH Thailand 8->73 65 C:\Users\user\AppData\Roaming\...\wtf.exe, PE32+ 8->65 dropped 67 C:\Users\user\AppData\Roaming\...\Sus.exe, PE32 8->67 dropped 87 Drops PE files to the startup folder 8->87 89 Contains functionality to register a low level keyboard hook 8->89 91 Sample or dropped binary is a compiled AutoHotkey binary 8->91 19 Sus.exe 7 8->19         started        22 javaw.exe 4 8->22         started        25 wtf.exe 501 8->25         started        69 C:\Users\user\AppData\Local\Temp\winmnt.exe, PE32 13->69 dropped 93 Protects its processes via BreakOnTermination flag 13->93 27 cmd.exe 13->27         started        29 cmd.exe 13->29         started        95 Multi AV Scanner detection for dropped file 15->95 31 wtf.exe 17->31         started        file5 signatures6 process7 dnsIp8 85 Protects its processes via BreakOnTermination flag 19->85 33 cmd.exe 1 19->33         started        35 cmd.exe 1 19->35         started        71 192.168.2.1 unknown unknown 22->71 37 icacls.exe 22->37         started        39 wtf.exe 25->39         started        41 winmnt.exe 27->41         started        45 conhost.exe 27->45         started        47 timeout.exe 27->47         started        49 conhost.exe 29->49         started        51 schtasks.exe 29->51         started        signatures9 process10 dnsIp11 53 conhost.exe 33->53         started        55 timeout.exe 1 33->55         started        57 winmnt.exe 33->57         started        59 conhost.exe 35->59         started        61 schtasks.exe 1 35->61         started        63 conhost.exe 37->63         started        75 pastebin.com 104.23.99.190, 443, 49730 CLOUDFLARENETUS United States 41->75 97 Protects its processes via BreakOnTermination flag 41->97 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b85d12e9d145f67b2e3177e70b694b364363812001d84709c0d6f29ce4f5341f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-25 21:49:02 UTC
AV detection:
25 of 48 (52.08%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
2c8c5c5e5990da4a2af218cfece6afda3f4830be6605b9767adbfbde2e5cd276
AsyncRAT
37b842cb5ad7a0ce19bd735e14bfd35f2d0708d396dbdf56b32c79448bbbef3a
AsyncRAT
54747f101ba51f7364f85105375eb872927e2ec2414fd6fa32dc4797b4eb6e8e
AsyncRAT
580b46d3c66531c7398e60857e6d5177d500d75cc802ded85965e0c2a09e255c
AsyncRAT
73ffaa868244eb4bcee7027ce57d30e604dda4dcda00fcfcbfb43103909ea52b
AsyncRAT
7fa47492c2377042d9b56f5d81c5e342aced8f51ca4237c9cd228d9b13b3bca5
AsyncRAT
867eb496d9f6122024560c00e0a2fde238fed90558dd0b4b838047c8eed8196c
AsyncRAT
8dd3b9fb0158903433d23f879d07820b8110a4b6417f3deda72342c2f698384e
AsyncRAT
bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a
AsyncRAT
dffdd312b2c69b06bd6e365479ab9887169c89f249b29d7b7f64327cb1ea371d
AsyncRAT
+ 910 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat pyinstaller rat upx
Link:
https://tria.ge/reports/210227-ty3fteed5j/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
null:null
Unpacked files
SH256 hash:
7946a83586e1f8483e57030290884ada7528e643e224becba4459310a6235a73
MD5 hash:
873c60cd9de9f0a3689eff6a22babc25
SHA1 hash:
97d71bab79c1149ec8d94465e979c7ce3789a2c6
Link:
https://www.unpac.me/results/022860ef-d739-47a0-add3-944966dbd255/
SH256 hash:
b85d12e9d145f67b2e3177e70b694b364363812001d84709c0d6f29ce4f5341f
MD5 hash:
b63f60dd1189f5e440f3948c03293780
SHA1 hash:
b5fdc2ec91751bde8f93a5f66c0f280fc83f221c
Link:
https://www.unpac.me/results/022860ef-d739-47a0-add3-944966dbd255/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b85d12e9d145f67b2e3177e70b694b364363812001d84709c0d6f29ce4f5341f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe b85d12e9d145f67b2e3177e70b694b364363812001d84709c0d6f29ce4f5341f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/119585/
  
URLhaus
https://urlhaus.abuse.ch/url/1035376/
  
Delivery method
Distributed via web download

Comments