MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba1c5f36a287271ae64d7fb5e803ced708a75ac3398448f8c3000cf9f2897f86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba1c5f36a287271ae64d7fb5e803ced708a75ac3398448f8c3000cf9f2897f86
SHA3-384 hash: 035a1ff897add32df35e11291339508639bfed5d0400d5d7a34e2ef2759e798092c8ce4adc6025fccec9948cc078b0e6
SHA1 hash: f3f228fe5c3bd9a903cfe891ea46ecfbe69de784
MD5 hash: 4abe1482b72bc41218cfa12516674b21
humanhash: sweet-moon-eight-purple
File name:MAJDALANI INOX SA Pedido.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:189'752 bytes
First seen:2020-08-05 16:09:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:z9q2Ore0Zxvxi9CCNuTsgDMc2BUIPmM8tF/7GkL7utmW/vmSm7wWsD88zvkoUEHf:5vqeExANNuq8DstySDWEHPmVq
Threatray 430 similar samples on MalwareBazaar
TLSH D9045CD2E1C41CC4E51957714C37AD252267AFBAC871990E6CAAB536AB732C32437C8F
Reporter abuse_ch
Tags:AsyncRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: [193.8.195.28]
Sending IP: 193.8.195.28
From: Angelo <ventas08@majdainox.com>
Reply-To: Angelo <ventas08.majdainox@samerica.com>
Subject: FW: MAJDALANI INOX S.A Pedido
Attachment: MAJDALANI INOX SA Pedido.r11 (contains "MAJDALANI INOX SA Pedido.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39820/
Detection(s):
Win.Trojan.Ag-18
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Sending a UDP request
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Connection attempt to an infection source
Enabling autorun
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/411643
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 258116 Sample: MAJDALANI INOX SA Pedido.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 96 43 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->43 45 Yara detected AsyncRAT 2->45 47 .NET source code references suspicious native API functions 2->47 49 5 other signatures 2->49 6 MAJDALANI INOX SA Pedido.exe 2 5 2->6         started        10 MAJDALANI INOX SA Pedido.exe 5 2->10         started        12 MAJDALANI INOX SA Pedido.exe 5 2->12         started        14 MAJDALANI INOX SA Pedido.exe 5 2->14         started        process3 file4 35 C:\Users\...\MAJDALANI INOX SA Pedido.exe, PE32 6->35 dropped 37 MAJDALANI INOX SA ...exe:Zone.Identifier, ASCII 6->37 dropped 51 Creates an undocumented autostart registry key 6->51 53 Writes to foreign memory regions 6->53 55 Allocates memory in foreign processes 6->55 16 InstallUtil.exe 15 2 6->16         started        19 InstallUtil.exe 6->19         started        21 InstallUtil.exe 6->21         started        23 InstallUtil.exe 6->23         started        57 Injects a PE file into a foreign processes 10->57 25 InstallUtil.exe 3 10->25         started        27 InstallUtil.exe 10->27         started        29 InstallUtil.exe 2 12->29         started        31 InstallUtil.exe 12->31         started        33 InstallUtil.exe 2 14->33         started        signatures5 process6 dnsIp7 39 185.140.53.9, 49723, 49729, 49731 DAVID_CRAIGGG Sweden 16->39 41 pastebin.com 104.23.98.190, 443, 49722 CLOUDFLARENETUS United States 16->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba1c5f36a287271ae64d7fb5e803ced708a75ac3398448f8c3000cf9f2897f86/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 16:11:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xiof6nvcq4trvzsnp626qa6o24ekowwdhgcer6gdaagpt4ujp6da._file
Verdict:
suspicious
Similar samples:
12859bb50366c248e9488a8852c0923bcb4135f8fcedcbac19228fe329ff39a7
AsyncRAT
17c38ccce635b7567fb09e4e48c53b5661bdd29e827917a447f0de7741694d71
AsyncRAT
25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1
AsyncRAT
3e9cb7d6eaaa8c07d939eca0bbfd2d670e349de2dd018c8d30ab59b5e19ddc95
AsyncRAT
56f27a73c491313639665758a863f1d00871d0b37077a03bfd5d50a4689d273d
AsyncRAT
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
AsyncRAT
847b3580cba59e7f4b453488c263544f3c481027d2ddf4f9f3988d84afc35c85
AsyncRAT
a4df5e9015f70b47dc4f2e6bae0fbeb9d108979e0cda7ef54aa123a0d33bdf8b
AsyncRAT
c8cc7c1a1210a082960b929c3598521979e16c1c6f5626b8ad29b9618ab5e18c
AsyncRAT
d0d47f1c08031d4297f713a98d6ca969009df8c0f637110622190d4ff9727106
AsyncRAT
+ 420 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat persistence family:asyncrat
Link:
https://tria.ge/reports/200805-w66czks27n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Async RAT payload
Modifies WinLogon for persistence
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba1c5f36a287271ae64d7fb5e803ced708a75ac3398448f8c3000cf9f2897f86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

rar 8b81793a9208e59123733d44c31e992e32ebdd5d4700d05c14c4982395b44486

AsyncRAT

Executable exe ba1c5f36a287271ae64d7fb5e803ced708a75ac3398448f8c3000cf9f2897f86

(this sample)

  
Dropped by
MD5 dedeb7141baef5a9e50639cde06a30c2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8b81793a9208e59123733d44c31e992e32ebdd5d4700d05c14c4982395b44486
Cape
Cape
https://www.capesandbox.com/analysis/39820/

Comments