MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 2 File information Comments

SHA256 hash:	bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de
SHA3-384 hash:	563c186896af1a550d318218e582bd53acb625b6592c349cf2111cfc89553bc4bb3b175b4f2105aaee09a85cecd0838c
SHA1 hash:	fb650fc54f1ca91a3239ff261491d242cd5cb240
MD5 hash:	2c5dce407cc334568c42027d97f7d0e0
humanhash:	avocado-yellow-colorado-saturn
File name:	Swift Copy.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	687'104 bytes
First seen:	2021-07-14 11:01:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:u5ki3w7RqrDgiPJv7nCohxXZHUt4CrOx15wAHm5/jSZtPR1rEuNCSUUA:u5dTrVPJvmoLX1UqtG9heZ5Ir
Threatray	999 similar samples on MalwareBazaar
TLSH	T16DE4E1A677C06BCEC22A8D749C90BC00A3E0E6769307EF4B6CE725D8488D7D94E7615D
Reporter	abuse_ch
Tags:	AsyncRAT exe RAT

abuse_ch

AsyncRAT C2:
103.150.8.21:7707

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
103.150.8.21:7707	https://threatfox.abuse.ch/ioc/160382/

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Swift Copy.exe

Verdict:

Malicious activity

Analysis date:

2021-07-14 11:03:48 UTC

Tags:

trojan rat asyncrat

Link:

https://app.any.run/tasks/fbe374c5-94bc-4f06-9b2a-28c5a8203309

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/171633/

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AsyncRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/afb34872-2f21-485f-be9d-1d99a64bfc0f

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/816161

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

asyncrat

Link:

https://mwdb.cert.pl/sample/bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2021-07-14 10:51:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xt3vogsntms7vpoc2yjawgznppmei3vcxq5f3ioucj4vjeqam7pa._file

Verdict:

malicious

Label(s):

asyncrat

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat rat

Link:

https://tria.ge/reports/210714-qkza5mne7e/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

primopumps.duckdns.org:6606
primopumps.duckdns.org:7707
primopumps.duckdns.org:8808

Unpacked files

SH256 hash:

5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4

MD5 hash:

b0e14c3526d6623ae9b7b5f5e0efde76

SHA1 hash:

f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc

Link:

https://www.unpac.me/results/a6170ec3-febc-4fff-91f9-9c1806a60f91/

SH256 hash:

bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de

MD5 hash:

2c5dce407cc334568c42027d97f7d0e0

SHA1 hash:

fb650fc54f1ca91a3239ff261491d242cd5cb240

Link:

https://www.unpac.me/results/a6170ec3-febc-4fff-91f9-9c1806a60f91/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171633/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample