MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbb9b256c5de87488101d517ea07b2135a59699ea30b9e7d9a93c7a5443233b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbb9b256c5de87488101d517ea07b2135a59699ea30b9e7d9a93c7a5443233b9
SHA3-384 hash: 393fa74e01a89540c835b9f2990299307a062e9e3aefe3f0256cb8f934d319c62cf973c667ebab32e617cd4a7d5206a7
SHA1 hash: f1ef4833f3e7f7eb2273a4be669619fd0739f419
MD5 hash: d50011343e030e508fb209585853c660
humanhash: delta-autumn-salami-nebraska
File name:inqqqqquiry9867120210406000900.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:885'248 bytes
First seen:2021-06-07 07:55:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:OpfNlBpgXF20oF77b3vT1yBw0XjNViCgUrgA0id1n/BeY8QcW:On3pgX07bpSw0Xj+vpidN/0Q
Threatray 956 similar samples on MalwareBazaar
TLSH 87155DF4F594D8A0C19DC732C7CACC7CD7A559E912538E2D19F86A8E2A0379B8F494C8
Reporter GovCERT_CH
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
inqqqqquiry9867120210406000900.exe
Verdict:
Malicious activity
Analysis date:
2021-06-07 07:58:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7cae4d5-68ee-4757-8e46-937c50a9e12d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164926/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.803.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797904
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bbb9b256c5de87488101d517ea07b2135a59699ea30b9e7d9a93c7a5443233b9/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-05 07:20:12 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xo43evwf32duraib2ul6ub5scnnfs2m6umfz47m2spd2krbsgo4q._file
Verdict:
unknown
Similar samples:
21c9d551916ce07bc434b9f1dfa8aaa4cd47c2746a0ece6f8ea1f2b61083d168
AsyncRAT
2a7bafae032f032eaaa5572bfc620b8ad777e9936932c0dc01464a4392429ad2
AsyncRAT
3686ddb8d635e49a9b4e396973aeca3f385a009e3f0265b6679db215776e2c58
AsyncRAT
5e93e8c7f6ba5a59e14d6c4fc47eaf264872e25b424e59924ff3b216f62ab6af
AsyncRAT
7e764e53424c41b68593b184364b18e22eeb77199532e6dd9b7d968cc7f4014d
AsyncRAT
ad5d4e214bf6c1bdeaa55653c66aa2416e33d49f8f17104ebcf7108365ec4419
AsyncRAT
be88b8e105148732011efec965b0c70c9adb6edde0ea1db2bfca2051e079f292
AsyncRAT
d62c650fa302858696ef4a99776b1b7f95174bd3d73f341ffb5faa4e161d665b
AsyncRAT
d6dfe4aff30b87552b5d9c70c88c34a3eebdf2edfbe80f5c4f77472ef26bdec3
AsyncRAT
ebd35b3cd174a681f57ec55b37d5a8df1db8c50c27e352912ef611c9dbf4fa39
AsyncRAT
+ 946 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210607-p8w8vmv7d6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
eltigangiad02.duckdns.org:6606
eltigangiad02.duckdns.org:7707
eltigangiad02.duckdns.org:8808
Unpacked files
SH256 hash:
1e7c66f6da06a0ea81371fb98d0e76424a600518b808140279c7ba8e06541ac5
MD5 hash:
8fe0389e4b903545421e42b628186cd2
SHA1 hash:
f6adc3d1a4ac995fad2a49474243d896b0236c2b
Link:
https://www.unpac.me/results/186bb010-353d-4476-9418-d83dda8df17e/
SH256 hash:
bbb9b256c5de87488101d517ea07b2135a59699ea30b9e7d9a93c7a5443233b9
MD5 hash:
d50011343e030e508fb209585853c660
SHA1 hash:
f1ef4833f3e7f7eb2273a4be669619fd0739f419
Link:
https://www.unpac.me/results/186bb010-353d-4476-9418-d83dda8df17e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbb9b256c5de87488101d517ea07b2135a59699ea30b9e7d9a93c7a5443233b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_generic_suspicious_hex_string_Jun2021_1
Create hunting rule
Author:Nils Kuhnert
Description:Triggers on parts of a big hex string available in lots of crime'ish PE files.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:susp_hex_string_Jun2021_1
Create hunting rule
Author:3c7
Description:Triggers on suspiciously long hex string that seems to be common in a lot of samples.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe bbb9b256c5de87488101d517ea07b2135a59699ea30b9e7d9a93c7a5443233b9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/164926/

Comments