MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75
SHA3-384 hash: 03b9b1da5433cd2cbb009673c1210abe331499a308b3d7bce48d016dfe8d98d5f072983891e18e5b3ded884e3219cde1
SHA1 hash: df7da998dd6a70631c6d8d1bd007f0820155d61c
MD5 hash: 1cee64efc81d4853d76e04a737f114c9
humanhash: zulu-xray-kentucky-kilo
File name:1CEE64EFC81D4853D76E04A737F114C9.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:701'895 bytes
First seen:2021-04-04 20:10:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:Qs8x4Ibt4KIQeJ1zUWsLYM0XENxQHc5JWqCzw9CBid6ktsT4kqxTB06c:SGIK/ALhQHc5JkZo/tsT+/06c
Threatray 11 similar samples on MalwareBazaar
TLSH E3E4124A3791E097D83465351DEEE0727AA23C082B56023F3B67772E5E351A2967323F
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
179.43.140.208:7707

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
179.43.140.208:7707 https://threatfox.abuse.ch/ioc/6771/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1CEE64EFC81D4853D76E04A737F114C9.exe
Verdict:
Malicious activity
Analysis date:
2021-04-04 20:12:16 UTC
Tags:
installer trojan rat asyncrat
Link:
https://app.any.run/tasks/6f415d03-916b-4b51-a3be-df1a6ec41205

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132116/
Detection(s):
Win.Trojan.Generic-9848208-0
Create hunting rule

Win.Trojan.Spynoon-9848587-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11b65096-3a5d-47e1-bf94-12e8cededce9
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665659
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381758 Sample: L2j4L6Bp7T.exe Startdate: 04/04/2021 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Antivirus detection for dropped file 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 6 other signatures 2->90 11 L2j4L6Bp7T.exe 11 2->11         started        15 winmgr.exe 2->15         started        process3 file4 76 C:\Users\user\AppData\Local\...\bmzqq630.dll, PE32 11->76 dropped 112 Detected unpacking (changes PE section rights) 11->112 114 Detected unpacking (creates a PE file in dynamic memory) 11->114 116 Detected unpacking (overwrites its own PE header) 11->116 118 Maps a DLL or memory area into another process 11->118 17 L2j4L6Bp7T.exe 1 5 11->17         started        signatures5 process6 dnsIp7 78 179.43.140.208, 49726, 49729, 49735 PLI-ASCH Panama 17->78 56 C:\Users\user\AppData\Local\Temp\xgrsla.exe, PE32 17->56 dropped 58 C:\Users\user\AppData\Local\Temp\igjilp.exe, PE32 17->58 dropped 21 cmd.exe 1 17->21         started        24 cmd.exe 1 17->24         started        file8 process9 signatures10 104 Suspicious powershell command line found 21->104 26 powershell.exe 13 21->26         started        28 conhost.exe 21->28         started        106 Bypasses PowerShell execution policy 24->106 30 powershell.exe 14 24->30         started        32 conhost.exe 24->32         started        process11 process12 34 xgrsla.exe 1 20 26->34         started        38 igjilp.exe 5 30->38         started        dnsIp13 60 C:\Users\user\AppData\...\winupdate.exe, PE32 34->60 dropped 62 C:\Users\user\AppData\...\ze0siavqq0.dll, PE32 34->62 dropped 92 Multi AV Scanner detection for dropped file 34->92 94 Detected unpacking (changes PE section rights) 34->94 96 Detected unpacking (overwrites its own PE header) 34->96 102 2 other signatures 34->102 41 xgrsla.exe 34->41         started        80 192.168.2.1 unknown unknown 38->80 64 C:\Users\user\Saved Games\Plague\winmgr.exe, PE32 38->64 dropped 66 C:\Users\user\Saved Games\...\RCXE09E.tmp, PE32 38->66 dropped 68 C:\Users\user\AppData\Local\...68ewTask.xml, XML 38->68 dropped 98 Machine Learning detection for dropped file 38->98 100 Uses schtasks.exe or at.exe to add and modify task schedules 38->100 45 winmgr.exe 38->45         started        48 schtasks.exe 1 38->48         started        50 schtasks.exe 1 38->50         started        file14 signatures15 process16 dnsIp17 70 C:\Users\user\AppData\...\sihost64.exe, PE32 41->70 dropped 72 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 41->72 dropped 74 C:\Users\user\AppData\...\ServicesTeamWD.exe, PE32 41->74 dropped 108 Creates multiple autostart registry keys 41->108 110 Sample is not signed and drops a device driver 41->110 82 179.43.176.8, 49741, 49742, 49743 PLI-ASCH Panama 45->82 52 conhost.exe 48->52         started        54 conhost.exe 50->54         started        file18 signatures19 process20
Gathering data
Threat name:
Win32.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2021-04-03 04:26:00 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xm44brybqpatsi7kjnho3tqidranof26qew6dy3q77gden74xz2q._file
Verdict:
unknown
Similar samples:
06e145e0068c9631d558c1f1c04b51fe8c6a36052a6a051986642eb0dec85232
AsyncRAT
6153eb4861731cb8b710414247b40ca5851a31c6a79b44d488d02d59b4abc5ff
AsyncRAT
6e176a6a67a3db2b56398f4d940c956270a1d145a3b126fa37cc164530a6f5ab
AsyncRAT
75da456980b6c16a80a05269d6fee93bc18a242ebe0c7f9f014bad8828b09291
AsyncRAT
8c41074da2e38da01c61a00a6fb9a9983d5e6091547b4f7a5f74b3797a5a59fe
AsyncRAT
8d5fcc37dd8243986f9bb28dccd74960163c965f87f23fc4e0360f17188cc332
AsyncRAT
9ea59a3284eb0dfd4af9a58e5e5be9abf46cd42e911650f587c7d6d67d29691f
AsyncRAT
ae00e3b5b5b3fe0b6ecf5c4ccbd461eee232654c45134a66d8e4a3b7cdcdf55a
AsyncRAT
bbdd92fe560df908080324d2c514af5c674f1aa2b8c4b65d5a37a5cd6ccbbba2
AsyncRAT
ee379be40d5c1621d1e0ccf136de363f950cbc92e5ee7f2b05c447cf8f6f2398
AsyncRAT
+ 1 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/210404-84a6kjhrkn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
179.43.140.208:7707
179.43.140.208:8808
179.43.140.208:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:6606
Unpacked files
SH256 hash:
1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078
MD5 hash:
eef9e469e8a30717974499f277d97e2a
SHA1 hash:
2d33c25984ebd9116beeb55cdde4c5c86c023e5d
Link:
https://www.unpac.me/results/0ce96a05-f431-42df-8283-fd6174ab32fe/
SH256 hash:
bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75
MD5 hash:
1cee64efc81d4853d76e04a737f114c9
SHA1 hash:
df7da998dd6a70631c6d8d1bd007f0820155d61c
Link:
https://www.unpac.me/results/0ce96a05-f431-42df-8283-fd6174ab32fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Vundo
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132116/

Comments