MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c208e1ec65a3bbfa95c6afc65532d2aeacf5a32baf4904853fee56f8b827e020. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c208e1ec65a3bbfa95c6afc65532d2aeacf5a32baf4904853fee56f8b827e020
SHA3-384 hash: 91de0b18b720c74b2cb2cd0cb80314b03a9d8fbb8e6ea8cb92ba0be4b73f4f41076c5a89b8663a8658a682b88e61d0a1
SHA1 hash: 34b02a543a0147a245861c0b9df756e81561fd70
MD5 hash: 6d27ac6f92afb382bcb38a9f2b1315ae
humanhash: equal-carolina-queen-cardinal
File name:bash.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:448'000 bytes
First seen:2020-10-05 17:42:32 UTC
Last seen:2020-10-05 18:38:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:/RYd/lTOv+I9pmW5ZEylU77e570oStiZOkcEB6AZxYNqo:gtm+I/Rwve5IoStqH8kxYN
Threatray 352 similar samples on MalwareBazaar
TLSH D294A405A3A0A784C594FB3F39D9721F53E2F4DB0683D20A7F1A4E71517A8D89D4E28B
Reporter James_inthe_box
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching cmd.exe command interpreter
Creating a process from a recently created file
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481867
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293371 Sample: bash.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AntiVM_3 2->47 49 4 other signatures 2->49 8 bash.exe 4 2->8         started        12 svchst.exe 2 2->12         started        process3 file4 39 C:\Users\user\AppData\Local\...\bash.exe.log, ASCII 8->39 dropped 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->51 14 cmd.exe 1 8->14         started        16 cmd.exe 2 8->16         started        53 Writes to foreign memory regions 12->53 55 Allocates memory in foreign processes 12->55 57 Injects a PE file into a foreign processes 12->57 19 InstallUtil.exe 12->19         started        21 InstallUtil.exe 12->21         started        23 InstallUtil.exe 12->23         started        25 7 other processes 12->25 signatures5 process6 file7 27 svchst.exe 4 14->27         started        30 conhost.exe 14->30         started        37 C:\Users\user\AppData\Roaming\svchst.exe, PE32 16->37 dropped 32 conhost.exe 16->32         started        process8 signatures9 59 Multi AV Scanner detection for dropped file 27->59 61 Writes to foreign memory regions 27->61 63 Allocates memory in foreign processes 27->63 65 2 other signatures 27->65 34 InstallUtil.exe 2 27->34         started        process10 dnsIp11 41 hiveys.duckdns.org 178.33.222.241, 49725, 49742, 6606 OVHFR France 34->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c208e1ec65a3bbfa95c6afc65532d2aeacf5a32baf4904853fee56f8b827e020/
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 17:42:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yieod3dfuo57vfogv7dfkmwsv2wplizlv5eqjbj75zlprobh4aqa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
126a37d9189d9ef7872b74fb13f562bc8601622b6455e01fefd646b463966fa6
AsyncRAT
12859bb50366c248e9488a8852c0923bcb4135f8fcedcbac19228fe329ff39a7
AsyncRAT
3e9cb7d6eaaa8c07d939eca0bbfd2d670e349de2dd018c8d30ab59b5e19ddc95
AsyncRAT
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
AsyncRAT
847b3580cba59e7f4b453488c263544f3c481027d2ddf4f9f3988d84afc35c85
AsyncRAT
96256638f3441f3b5c12e3fd667daa2cbbc1935300dc6ac2606fad8ced276d2e
AsyncRAT
a4df5e9015f70b47dc4f2e6bae0fbeb9d108979e0cda7ef54aa123a0d33bdf8b
AsyncRAT
bbae735df39c1301901ca97c6993f2b6fd7233a0360761eab8b65f2556df4517
AsyncRAT
c8cc7c1a1210a082960b929c3598521979e16c1c6f5626b8ad29b9618ab5e18c
AsyncRAT
d0d47f1c08031d4297f713a98d6ca969009df8c0f637110622190d4ff9727106
AsyncRAT
+ 342 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat family:asyncrat
Link:
https://tria.ge/reports/201005-jnamtkz2n2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
AsyncRat
Unpacked files
SH256 hash:
c208e1ec65a3bbfa95c6afc65532d2aeacf5a32baf4904853fee56f8b827e020
MD5 hash:
6d27ac6f92afb382bcb38a9f2b1315ae
SHA1 hash:
34b02a543a0147a245861c0b9df756e81561fd70
Link:
https://www.unpac.me/results/2d743e5c-ff8c-4b22-8459-81d31d5f4e1d/
SH256 hash:
4d722880f276c2fd1e46715e73b8303ab05d7e9b1b59f31ddab870c593c4ef3d
MD5 hash:
4030d60781591a6d5ef08a643eebdb8c
SHA1 hash:
00013d4c30bf14a6a7731d992d486f099c7caf32
Link:
https://www.unpac.me/results/2d743e5c-ff8c-4b22-8459-81d31d5f4e1d/
SH256 hash:
2e78f0ba1c93179c23234fbfd779077d3ca5bd3d263a90eb8f5dce05d355c366
MD5 hash:
de566e9813670fc364f1b8149a40a498
SHA1 hash:
29b74683fe56b9f00796a499f575caf6f08608c5
Link:
https://www.unpac.me/results/2d743e5c-ff8c-4b22-8459-81d31d5f4e1d/
SH256 hash:
b9da510179f5ab4c525da1b2baed0b9fdfd806928164577585781c68c2a7a139
MD5 hash:
05613a32dc15ae843312b61f94bfb3eb
SHA1 hash:
ea5a4988eec2d1b168681009162a8c906c341270
Link:
https://www.unpac.me/results/2d743e5c-ff8c-4b22-8459-81d31d5f4e1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c208e1ec65a3bbfa95c6afc65532d2aeacf5a32baf4904853fee56f8b827e020

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/68299/

Comments