MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf857a8b64347b8df2cced82c84b9db3bb3139d481bead89e641e819cce1d4d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf857a8b64347b8df2cced82c84b9db3bb3139d481bead89e641e819cce1d4d3
SHA3-384 hash: 725eab779056b85d22e7649a5d4b83fee2a6d31dea60312262fc5667c5b6c61c1bcacdc22c12db7ea84ffb3a463a1a9c
SHA1 hash: 77d756e7ea8c55fad5ff503c43a0b0da3adba54b
MD5 hash: a8ff355f269513cf4f1c177d02e41a9d
humanhash: july-yankee-london-london
File name:a8ff355f269513cf4f1c177d02e41a9d.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:3'414'154 bytes
First seen:2022-03-14 09:16:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 98304:pAI+mYFV6j/5hC9BTBGUQXn1OG6vwmfrkuW:itm1CrYUyn1OpImfrkX
Threatray 489 similar samples on MalwareBazaar
TLSH T1CAF5333DA1A1403AD1930631496F4379F626BB059B7421CF66DF8E290DB3381AF7A3D6
File icon (PE):PE icon
dhash icon 92a0ac9aaaea7a72 (2 x RedLineStealer, 1 x Sality, 1 x AsyncRAT)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
198.23.212.148:2411

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
198.23.212.148:2411 https://threatfox.abuse.ch/ioc/395118/

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250049/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the Program Files subdirectories
Modifying a system file
Creating a process from a recently created file
Adding an access-denied ACE
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the process to interact with network services
Launching a process
Creating a file in the Windows subdirectories
Changing a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9107/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware overlay packed quasar shell32.dll
Link:
https://www.filescan.io/uploads/622f0814b94fb38cb4790c89/reports/30e81c57-f43d-44c3-ac42-f93ba9ee07e1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bcbd662-ddd5-45d4-9c14-b0de22ef49a5
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955921
Signature
Adds a directory exclusion to Windows Defender
Adds a new user with administrator rights
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Bypass UAC via CMSTP
Sigma detected: File Created with System Process Name
Sigma detected: Hurricane Panda Activity
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 588402 Sample: LbB0EwwJX1.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 64 api.ipify.org 2->64 66 tools.keycdn.com 2->66 68 2 other IPs or domains 2->68 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for dropped file 2->74 78 13 other signatures 2->78 9 LbB0EwwJX1.exe 14 12 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 4 other processes 2->17 signatures3 76 May check the online IP address of the machine 64->76 process4 dnsIp5 52 C:\Users\user\AppData\Roaming\svchost.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\...\Runtime Brocker.exe, PE32 9->54 dropped 56 C:\Users\user\AppData\Roaming\Host.exe, PE32 9->56 dropped 60 2 other files (none is malicious) 9->60 dropped 88 Drops PE files with benign system names 9->88 20 Host.exe 7 7 9->20         started        58 C:\Windows\Temp\ngvx40pt.inf, Windows 13->58 dropped 90 Antivirus detection for dropped file 13->90 92 Multi AV Scanner detection for dropped file 13->92 94 Changes security center settings (notifications, updates, antivirus, firewall) 15->94 62 127.0.0.1 unknown unknown 17->62 file6 signatures7 process8 file9 50 C:\Windows\Resources\Themes\...\svchost.exe, PE32 20->50 dropped 80 Antivirus detection for dropped file 20->80 82 Multi AV Scanner detection for dropped file 20->82 84 Creates an autostart registry key pointing to binary in C:\Windows 20->84 86 5 other signatures 20->86 24 net.exe 1 20->24         started        26 net.exe 1 20->26         started        28 net.exe 1 20->28         started        30 9 other processes 20->30 signatures10 process11 process12 32 conhost.exe 24->32         started        34 net1.exe 1 24->34         started        36 conhost.exe 26->36         started        38 net1.exe 1 26->38         started        40 conhost.exe 28->40         started        42 net1.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 30->46         started        48 8 other processes 30->48
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bf857a8b64347b8df2cced82c84b9db3bb3139d481bead89e641e819cce1d4d3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-12 13:23:00 UTC
File Type:
PE (Exe)
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6cxvc3egr5y34wm5wbmqs45wo5tcoouqg7k3cpgihubtthb2tjq._file
Verdict:
malicious
Similar samples:
06db093414f42d7669e57d31a8d563c71018e8d75c886244b77a6a9bc86b6fdb
AsyncRAT
13e353b5aaf0a49286d0148954759cf4eb844087f28bf0be58f9fe0f8c9df947
AsyncRAT
1b7d7515f98891cf08164a7469bb9c9f3133e7834cfe99d55094594ca330e982
AsyncRAT
4564033ca316b31e192f8dcfca9743756ebfe554c43e952924c4ef6581ef9e15
AsyncRAT
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
AsyncRAT
48c1378f5e48ec365691bf3cf9c44f381e181c0e669df0169ff057c2cf8917f8
AsyncRAT
5ce9dedae33e348bed0fc2fa2f8831adc8263177b7d2674dc634cd2709beba09
AsyncRAT
77088c2f6f9178e0da504d14ff3687ce5dbd4972a0cd527b900657132e4666dc
AsyncRAT
9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9
AsyncRAT
+ 479 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:njrat family:quasar botnet:kgbown botnet:nyan cat discovery evasion persistence rat spyware suricata trojan
Link:
https://tria.ge/reports/220314-k82sasfhgp/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Async RAT payload
Grants admin privileges
Looks for VirtualBox Guest Additions in registry
AsyncRat
Quasar Payload
Quasar RAT
UAC bypass
Windows security bypass
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
Malware Config
C2 Extraction:
4Mekey.myftp.biz:4782
4Mekey.myftp.biz:2411
4Mekey.myftp.biz:6606
4Mekey.myftp.biz:7707
4Mekey.myftp.biz:8808
Unpacked files
SH256 hash:
073a67ab274258c4f6d15f86140b4d9dec392427b660f416e31b20fd03a47742
MD5 hash:
e87ad08a9d20aac0f4cd8978c8ec4b8f
SHA1 hash:
4d902a4ec2376140f5eb784aaece966c66a94661
Link:
https://www.unpac.me/results/0c364f5c-341d-4e1c-b22c-2fac4651f579/
SH256 hash:
30e8dd22cf7718eebcd5ea1b00b5539fbcc6f0b440f97a4de304c09aff47b73a
MD5 hash:
34e607d38e993d72bf448bca388d64c2
SHA1 hash:
68bb6f8469e8d26b20576b6a60d478cf6c816e87
Link:
https://www.unpac.me/results/0c364f5c-341d-4e1c-b22c-2fac4651f579/
SH256 hash:
4e5bfad0d2822067e95b2057905944c8f7994d5b9ba49e92aa15da74d269ee01
MD5 hash:
2da7bd1fe310c36ab3ef1a7bebf7330d
SHA1 hash:
28c2974b27bae56d0b09ea2ca63443822182a99f
Link:
https://www.unpac.me/results/0c364f5c-341d-4e1c-b22c-2fac4651f579/
SH256 hash:
bf857a8b64347b8df2cced82c84b9db3bb3139d481bead89e641e819cce1d4d3
MD5 hash:
a8ff355f269513cf4f1c177d02e41a9d
SHA1 hash:
77d756e7ea8c55fad5ff503c43a0b0da3adba54b
Link:
https://www.unpac.me/results/0c364f5c-341d-4e1c-b22c-2fac4651f579/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf857a8b64347b8df2cced82c84b9db3bb3139d481bead89e641e819cce1d4d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250049/

Comments