MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c292d019df9deb09354d85ee3e021d61978038873bb2896508fe3931b20872c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c292d019df9deb09354d85ee3e021d61978038873bb2896508fe3931b20872c9
SHA3-384 hash: 48df5698dcf47807dd8c6121d5cd3b847645da973b391b74d66b9a7b9fde8bd7618ad8c85308e639a7bedb33a2377be0
SHA1 hash: c871da89e122dbac5a5a86a68ae977383b987dd8
MD5 hash: 0b776fe5b0b4967c1a9b519cdef9dc40
humanhash: echo-georgia-sodium-zulu
File name:0b776fe5b0b4967c1a9b519cdef9dc40.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:10'752 bytes
First seen:2022-05-22 15:31:08 UTC
Last seen:2022-05-22 16:31:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'649 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 192:WlQJxyNXNVw/YDmTMzalGrydKRaRBC4y:WlLNxmTMzaIrXaR04
Threatray 227 similar samples on MalwareBazaar
TLSH T195222A0967C88723CBF647FE89FB6341027CE71A0DA2D77F98D0164A6D2279497427B2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
20.77.254.176:2200

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
20.77.254.176:2200 https://threatfox.abuse.ch/ioc/626445/

Intelligence

File Origin
# of uploads :
2
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
0b776fe5b0b4967c1a9b519cdef9dc40.exe
Verdict:
Malicious activity
Analysis date:
2022-05-22 15:33:30 UTC
Tags:
trojan loader rat asyncrat
Link:
https://app.any.run/tasks/190c46c4-d63b-4821-99a1-a50cf0b04f56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273444/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Searching for the browser window
Searching for the window
Changing a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Launching a process
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/628a574865e3381599368b41/reports/52bb8968-63c8-47ac-812a-35101e4bd1ef/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf8a4a0f-ec45-4a75-bec2-60dbbead88bd
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999368
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631864 Sample: kdANVaYsIg.exe Startdate: 22/05/2022 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 11 other signatures 2->75 9 kdANVaYsIg.exe 15 18 2->9         started        process3 dnsIp4 55 machine3.duckdns.org 20.77.254.176, 2200, 49734, 49767 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->55 57 dayim.duckdns.org 91.151.84.177, 49724, 49726, 49745 ADEOXTECHUS Turkey 9->57 38 C:\Users\user\AppData\Roaming\...\pdf.exe, PE32 9->38 dropped 40 C:\Users\user\AppData\...\kdANVaYsIg.exe.log, ASCII 9->40 dropped 13 chrome.exe 17 254 9->13         started        17 pdf.exe 2 9->17         started        file5 process6 dnsIp7 59 192.168.2.1 unknown unknown 13->59 61 239.255.255.250 unknown Reserved 13->61 42 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 13->42 dropped 44 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 13->44 dropped 46 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 13->46 dropped 19 chrome.exe 16 13->19         started        22 AcroRd32.exe 15 39 13->22         started        24 chrome.exe 1 1 13->24         started        63 machine3.duckdns.org 17->63 65 windowsupdatebg.s.llnwi.net 17->65 file8 process9 dnsIp10 48 clients2.google.com 19->48 51 dayim.duckdns.org 19->51 53 4 other IPs or domains 19->53 26 RdrCEF.exe 22->26         started        28 AcroRd32.exe 8 6 22->28         started        signatures11 67 Uses dynamic DNS services 48->67 process12 process13 30 RdrCEF.exe 26->30         started        32 RdrCEF.exe 26->32         started        34 RdrCEF.exe 26->34         started        36 2 other processes 26->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c292d019df9deb09354d85ee3e021d61978038873bb2896508fe3931b20872c9/
Threat name:
ByteCode-MSIL.Worm.FFAuto
Create hunting rule
Status:
Malicious
First seen:
2022-05-22 01:54:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ykjnago7txvqsnknqxxd4aq5mglyaoehhoziszii7y4tdmqioleq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
079871499bdc91b180fcd73f10d7db76fcabbbdd29017ad0f8fe82f5c18b39a8
AsyncRAT
0b3020eb6b8360bae5958d4f8e877fe532d1c21bbaa851c364aaef0b6f67e1ac
AsyncRAT
2b706f2254c046cc98027519e95de07d7e0d63ac61733db9c42fc2995b69fe48
AsyncRAT
40c935ce8104afa8a498a4bde6146fb548e202370212ebbb7851ed443b3af510
AsyncRAT
67741e596f4d59713a232bfb45d6cb0b2592f67b867773f72c2bb0fa2f749685
AsyncRAT
775ab7ffed2631864bc91813bd21153746938d4bc1045038a02da5d7fa4a5216
AsyncRAT
a678300e6317d7a0354316b152e371f9c21f4afc39cc9c058a56f224fd4a90a7
AsyncRAT
cbde068b97a9081568dea732d561f26c52946ebbadf260c2305b46f369b20c9d
AsyncRAT
f297f0a8651e14cf884331bc4ae10c238a6c79385741e507dc7df7c88b85beb8
AsyncRAT
+ 217 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default persistence rat suricata
Link:
https://tria.ge/reports/220522-sylmbsaeh6/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
machine3.duckdns.org:2200
Unpacked files
SH256 hash:
c292d019df9deb09354d85ee3e021d61978038873bb2896508fe3931b20872c9
MD5 hash:
0b776fe5b0b4967c1a9b519cdef9dc40
SHA1 hash:
c871da89e122dbac5a5a86a68ae977383b987dd8
Link:
https://www.unpac.me/results/81d7b85c-fa3c-47ec-adf1-6d92a6683fb1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c292d019df9deb09354d85ee3e021d61978038873bb2896508fe3931b20872c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273444/

Comments