MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb3f58303f485aae5008474b5728f5f5dddea88b517835da3e402e0cafa53253. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb3f58303f485aae5008474b5728f5f5dddea88b517835da3e402e0cafa53253
SHA3-384 hash: d4d8acf9d3732070458f6f2416374a55b0123b056544235cb0d06887e1d6ee64e7dab874518a300d04a1145ace9406e2
SHA1 hash: 85b6809c44e878e46a92c56f009a8bd720cbaf9b
MD5 hash: fb30ea1ee4dbef85102f797190522a64
humanhash: kansas-comet-undress-earth
File name:Remittance Invoice.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:418'640 bytes
First seen:2020-10-11 07:59:20 UTC
Last seen:2020-10-11 09:04:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:Hs9l6uAwMA6nWL3ETIlF9ccdC9hQnshWOLFkVdQAeXuZCDQpyOe8MHq3bcf8FDt6:cl6KyB9hjWOKVdQ/ueQCZHqDFSilZCtF
Threatray 345 similar samples on MalwareBazaar
TLSH B8943C7E79D62C3A963C97761D0AC6A142F93043193BDF6A5DC8AAC893A04B0F705DD3
Reporter abuse_ch
Tags:AsyncRAT exe RAT

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Oct 10 10:09:01 2020 GMT
Valid to:Oct 10 10:09:01 2021 GMT
Serial number: 70FBCCAABC8700C0D1C0336DA0FF556D
Thumbprint Algorithm:SHA256
Thumbprint: 414EC04256C566F298490C2D0F96A52E9DDA845485C9C5D1C5305D43AA7FB56B
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: za02.rocketseed.com
Sending IP: 197.189.206.59
From: rentals@jawitzhelderberg.co.za
Subject: Tax Invoice
Attachment: Tax Invoice.img (contains "Remittance Invoice.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69819/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487666
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296275 Sample: Remittance Invoice.exe Startdate: 11/10/2020 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 12 other signatures 2->64 7 Remittance Invoice.exe 3 5 2->7         started        11 Remittance Invoice.exe 2->11         started        13 Remittance Invoice.exe 2->13         started        15 3 other processes 2->15 process3 file4 48 C:\Users\user\...\Remittance Invoice.exe, PE32 7->48 dropped 50 C:\...\Remittance Invoice.exe:Zone.Identifier, ASCII 7->50 dropped 52 C:\Users\user\...\Remittance Invoice.exe.log, ASCII 7->52 dropped 66 Creates an undocumented autostart registry key 7->66 68 Hides threads from debuggers 7->68 70 Injects a PE file into a foreign processes 7->70 17 Remittance Invoice.exe 2 7->17         started        20 timeout.exe 1 7->20         started        72 Creates autostart registry keys with suspicious names 11->72 74 Creates multiple autostart registry keys 11->74 22 timeout.exe 11->22         started        24 timeout.exe 13->24         started        32 3 other processes 13->32 26 timeout.exe 1 15->26         started        28 timeout.exe 1 15->28         started        30 timeout.exe 15->30         started        34 4 other processes 15->34 signatures5 process6 dnsIp7 54 genjustu.hopto.org 45.35.158.173, 49751, 7707 AS40676US United States 17->54 56 192.168.2.1 unknown unknown 17->56 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb3f58303f485aae5008474b5728f5f5dddea88b517835da3e402e0cafa53253/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 11:24:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xm7vqmb7jbnk4uaii5fvokhv6xo55kelkf4dlwr6iaxazl5fgjjq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0c34d4763fc968ccbe9f33dec2ae9e3e132a61b40ffc93cc22f337a0758c0279
AsyncRAT
222cdcb38abb9e24d7e198943ded854951b855b0aa02b396959cfe2a51a4a078
AsyncRAT
430bbefe89bad382de0a7831e7afc238f397a930a235d208585fb2bfb0b950bc
AsyncRAT
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
AsyncRAT
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
AsyncRAT
7caf87ac1666f10cbbff4cc01d51ec4df556908b2d8d55d5c4f0f3724dceded1
AsyncRAT
bcb474ac919440674135c673d8c6a0fc8015a63a15b2849c3346f74a716b5249
AsyncRAT
c8cc7c1a1210a082960b929c3598521979e16c1c6f5626b8ad29b9618ab5e18c
AsyncRAT
d82330b1d9bfbebbff4d21e9ddd0f86e90ed27031ba29557587d182246301ee5
AsyncRAT
f0006754d451556014c91039915ea9505f348f80538e536d30b75c5ef252d73d
AsyncRAT
+ 335 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat persistence family:asyncrat
Link:
https://tria.ge/reports/201011-3zxx45s7qx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Async RAT payload
AsyncRat
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
genjustu.hopto.org,45.35.158.173:6606,7707,8808
Unpacked files
SH256 hash:
bb3f58303f485aae5008474b5728f5f5dddea88b517835da3e402e0cafa53253
MD5 hash:
fb30ea1ee4dbef85102f797190522a64
SHA1 hash:
85b6809c44e878e46a92c56f009a8bd720cbaf9b
Link:
https://www.unpac.me/results/af9cd788-1c10-4ff1-9195-94a04f90bbe6/
SH256 hash:
0881ec977b8741648f36e97d7d29fac5417fe8a66a5f49d52051f8c7c065edcc
MD5 hash:
2c952c5513ac1255778eb38f910bea9a
SHA1 hash:
4f9acca41dd6b83c87348186687736004e098213
Link:
https://www.unpac.me/results/af9cd788-1c10-4ff1-9195-94a04f90bbe6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bb3f58303f485aae5008474b5728f5f5dddea88b517835da3e402e0cafa53253

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

img 8a032365e506c9a9fa34eb7ae6c48267a0a3642f9b2a203eb19e6e1b7876e49b

AsyncRAT

Executable exe bb3f58303f485aae5008474b5728f5f5dddea88b517835da3e402e0cafa53253

(this sample)

  
Dropped by
MD5 f19d4031b6f1b26fa3e787e2ba5a71fa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8a032365e506c9a9fa34eb7ae6c48267a0a3642f9b2a203eb19e6e1b7876e49b
Cape
Cape
https://www.capesandbox.com/analysis/69819/

Comments