MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c07aff77a2523b0fa86790e3dab7341e75fa557cdcb7f850b5cc803f6260cf88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c07aff77a2523b0fa86790e3dab7341e75fa557cdcb7f850b5cc803f6260cf88
SHA3-384 hash: 1d351182760dbb99f5ba1b6fb75cbf710617622cc1d739d62de6e6f87a659d84f5cbe85e1039dc1a3fd40a3a62c386dc
SHA1 hash: ef04d6ca2cd45fc940bec7c44ff4e158f6e8d129
MD5 hash: 3ea9acaceb901b3b5c8789db1eac745a
humanhash: winner-xray-ink-march
File name:3e.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:440'832 bytes
First seen:2021-12-06 16:04:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:kA8riLTl+bd8DcYvZeSdenUK0D/JGPNaeHZSFtkWWPq:VFJ0cW
Threatray 58 similar samples on MalwareBazaar
TLSH T15A9438342DEA502AB173EF698BE479EADA2FB7733B07585D10A103864B23942DDC153D
Reporter 0x746f6d6669
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e.exe
Verdict:
No threats detected
Analysis date:
2021-12-06 20:47:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4dfefe51-1051-4d91-9d2a-459864439e59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211865/
Detection(s):
Win.Trojan.Ursu-9881757-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a file in the %temp% directory
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file in the %AppData% subdirectories
Launching the process to change the firewall settings
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61ae34b247ed217c013387c2/reports/c13bd790-127e-45af-843d-e8bd8e543752/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f663098-6cd8-4144-8bd0-bc4d9d507500
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/902433
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Enables a proxy for the internet explorer
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sets a proxy for the internet explorer
Sigma detected: Suspicious Csc.exe Source File Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 534915 Sample: 3e.exe Startdate: 06/12/2021 Architecture: WINDOWS Score: 100 40 www.google.com 2->40 42 consent.google.com 2->42 44 2 other IPs or domains 2->44 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 66 5 other signatures 2->66 9 3e.exe 1 2->9         started        signatures3 64 Performs DNS queries to domains with low reputation 42->64 process4 file5 36 C:\Users\user\AppData\Local\...\3e.exe.log, ASCII 9->36 dropped 68 Writes to foreign memory regions 9->68 70 Allocates memory in foreign processes 9->70 72 Modifies the context of a thread in another process (thread injection) 9->72 74 Injects a PE file into a foreign processes 9->74 13 MSBuild.exe 17 46 9->13         started        signatures6 process7 dnsIp8 52 content-maker.xyz 13->52 54 www.google.com 13->54 56 7 other IPs or domains 13->56 38 C:\Users\user\AppData\...\z0uqwomt.cmdline, UTF-8 13->38 dropped 76 Installs new ROOT certificates 13->76 78 May check the online IP address of the machine 13->78 80 Performs DNS queries to domains with low reputation 13->80 82 6 other signatures 13->82 18 powershell.exe 14 17 13->18         started        21 csc.exe 3 13->21         started        24 netsh.exe 3 13->24         started        file9 signatures10 process11 dnsIp12 46 content-maker.xyz 18->46 48 www.google.com 142.250.181.228 GOOGLEUS United States 18->48 50 3 other IPs or domains 18->50 26 conhost.exe 18->26         started        34 C:\Users\user\AppData\Local\...\z0uqwomt.dll, PE32 21->34 dropped 28 conhost.exe 21->28         started        30 cvtres.exe 1 21->30         started        32 conhost.exe 24->32         started        file13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c07aff77a2523b0fa86790e3dab7341e75fa557cdcb7f850b5cc803f6260cf88/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-11-29 18:18:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
AsyncRAT
6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5
AsyncRAT
720aa2910e6e575ee4b6429e3290dd27a116f407f567614ce242c63c9d83cd8b
AsyncRAT
7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191
AsyncRAT
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
AsyncRAT
ba3c244413f003bbd093b5e3e082bb9b0914d5bd9e03526b0e4b4faf4eacc411
AsyncRAT
ccc7d187ff725af5867b1358f3324be6155de93ce81079564d1fa22bac501702
AsyncRAT
f7707fe4c69384493ced8f0defb76e6a9f4921e1ac14ae957329cbf92f1f00b2
AsyncRAT
+ 48 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat collection evasion rat
Link:
https://tria.ge/reports/211206-tjjd4ahde6/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Blocklisted process makes network request
Modifies Windows Firewall
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
windowsupdatecdn.cn:456
gjghvga7ffgb.xyz:456
huugbbvuay4.cn:456
Unpacked files
SH256 hash:
c07aff77a2523b0fa86790e3dab7341e75fa557cdcb7f850b5cc803f6260cf88
MD5 hash:
3ea9acaceb901b3b5c8789db1eac745a
SHA1 hash:
ef04d6ca2cd45fc940bec7c44ff4e158f6e8d129
Link:
https://www.unpac.me/results/0b83ae0e-1125-45df-a391-adcb84798384/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c07aff77a252/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/c07aff77a2523b0fa86790e3dab7341e75fa557cdcb7f850b5cc803f6260cf88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:Reflective_DLL_Loader_Aug17_1
Create hunting rule
Author:Florian Roth
Description:Detects Reflective DLL Loader
Reference:Internal Research
Rule name:Reflective_DLL_Loader_Aug17_1_RID317F
Create hunting rule
Author:Florian Roth
Description:Detects Reflective DLL Loader
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211865/

Comments