MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c25d7f5497f9a12e564244665d9e83740bbcb88fa384fba9d3bc704f4da7d442. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c25d7f5497f9a12e564244665d9e83740bbcb88fa384fba9d3bc704f4da7d442
SHA3-384 hash: c6dd5105fa8257955a33dcc56fd4a7df8213c456374ae0193cb0f76cefba06e4fb6f65eb215d47e197b154507534b532
SHA1 hash: ae798a2e1921df6db7901beffbd6ba447d3c8bec
MD5 hash: 7528f37e6e667a6a4783ebc4eb2582a7
humanhash: golf-alanine-william-connecticut
File name:exel.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'830'912 bytes
First seen:2021-12-01 14:56:45 UTC
Last seen:2021-12-01 16:36:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:3nxmD1rVjinxmD1rVjinxmD1rVjsVpa8+:3AhjiAhjiAhjQa
Threatray 7'837 similar samples on MalwareBazaar
TLSH T11685120D73FA5F10E6B44BF5A970A6584B76743E7871E7AC1E84E4CB4230F10A65AB23
Reporter ankit_anubhav
Tags:AsyncRAT exe VenomRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
зип архив.zip
Verdict:
No threats detected
Analysis date:
2021-12-01 11:40:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/670afbd1-e130-4116-a82d-c49c63cb77f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210357/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.8869.21955.7244.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a78d3f86bf67e7121d8305/reports/0b0c8554-4cad-4641-9c23-1f2fcb27060a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36cd760d-1a2d-458b-a42f-e32d66d52049
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/899536
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532014 Sample: exel.exe Startdate: 01/12/2021 Architecture: WINDOWS Score: 84 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected AsyncRAT 2->59 61 .NET source code contains potential unpacker 2->61 63 Machine Learning detection for sample 2->63 9 exel.exe 15 3 2->9         started        14 exel.exe 2 2->14         started        process3 dnsIp4 49 cdn.discordapp.com 162.159.135.233, 443, 49776, 49780 CLOUDFLARENETUS United States 9->49 45 C:\Users\user\AppData\Local\...\exel.exe.log, ASCII 9->45 dropped 67 Injects a PE file into a foreign processes 9->67 16 exel.exe 6 9->16         started        51 162.159.133.233, 443, 49779 CLOUDFLARENETUS United States 14->51 69 Multi AV Scanner detection for dropped file 14->69 71 Machine Learning detection for dropped file 14->71 19 exel.exe 14->19         started        file5 signatures6 process7 dnsIp8 43 C:\Users\user\AppData\Roaming\exel.exe, PE32 16->43 dropped 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        47 111.90.143.12, 4899, 8080 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 19->47 file9 process10 signatures11 27 exel.exe 2 22->27         started        31 conhost.exe 22->31         started        33 timeout.exe 1 22->33         started        65 Uses schtasks.exe or at.exe to add and modify task schedules 24->65 35 conhost.exe 24->35         started        37 schtasks.exe 1 24->37         started        process12 dnsIp13 53 192.168.2.1 unknown unknown 27->53 55 cdn.discordapp.com 27->55 73 Injects a PE file into a foreign processes 27->73 39 exel.exe 27->39         started        41 exel.exe 27->41         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c25d7f5497f9a12e564244665d9e83740bbcb88fa384fba9d3bc704f4da7d442/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 14:57:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
06d230cca12e200a7b7400e0a6a36fec7811a9d88fadb147fef454c953a23061
AsyncRAT
168f62c6ea11a386469563c360ee5517da31015e774ccc9c8ba3d1bd4b4f45ef
AsyncRAT
17dc1fee7e207e38779e7224fd0c5b9fd62909ada1c870c832bc603b2d11643b
AsyncRAT
4d87dc42d7955f0441294956abfd9878b967ca196c6e1a3be40affc4877da5f9
AsyncRAT
83923b2bb65492892ef63d18dff00654431b27cd409d8fd67d4ba0eadc052c6a
AsyncRAT
85641fdd05980c31b2e8d6d3f6218391dd089780df85a53e24a1f3f0abdf6a24
AsyncRAT
d0ba38de7fbef35868d1f321a5d193c8c3689d167e9c10af7075fd67903347d2
AsyncRAT
+ 7'827 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:venom clients rat
Link:
https://tria.ge/reports/211201-sbk3aagbf3/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
111.90.143.12:4489
111.90.143.12:8080
111.90.143.12:4899
Unpacked files
SH256 hash:
c25d7f5497f9a12e564244665d9e83740bbcb88fa384fba9d3bc704f4da7d442
MD5 hash:
7528f37e6e667a6a4783ebc4eb2582a7
SHA1 hash:
ae798a2e1921df6db7901beffbd6ba447d3c8bec
Link:
https://www.unpac.me/results/3be0de48-b757-44f6-8f5a-a0ca31e24edb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c25d7f5497f9a12e564244665d9e83740bbcb88fa384fba9d3bc704f4da7d442

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Encoded_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/210357/

Comments