MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c30a7ae42996c5fba92d435a780ba04c4eec3a5f64d5aa7b7c3ecd85a9d74b8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c30a7ae42996c5fba92d435a780ba04c4eec3a5f64d5aa7b7c3ecd85a9d74b8a
SHA3-384 hash: 59b6616d634e529cf649e394fb7f10312b5ee74451d9c90bcc91f2f5dd47169558dadbc1ef450b75851b3a114839f176
SHA1 hash: 89a71bb5891942c8ee729d64874ade4a6dbcfd2a
MD5 hash: 5a3663d7ec27b2889b4f34124e1f69bb
humanhash: summer-alanine-oregon-quebec
File name:DHL_SHIPPING_DOCS_INV.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:308'736 bytes
First seen:2020-10-23 07:01:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:+D8SQxP5R/DoXykeSIh0BOGXaWXH9CEYtbw9:+XQl5R/
Threatray 28 similar samples on MalwareBazaar
TLSH BD64E43CAD9AA533E8BAE7B6D9F545DBF91064033822BD0E51C707454E0AB963DC321E
Reporter abuse_ch
Tags:AsyncRAT DHL exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: binexline.com
Sending IP: 95.211.148.82
From: YUNICE YANG (DHL-Delivery)<yunicekim@binexline.com>
Attachment: DHL_SHIPPING_DOCS_INV.z (contains "DHL_SHIPPING_DOCS_INV.exe")

AsyncRAT C2:
finishhouse.duckdns.org:6606 (79.134.225.82)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74964/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.fz.29364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507873
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c30a7ae42996c5fba92d435a780ba04c4eec3a5f64d5aa7b7c3ecd85a9d74b8a/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 06:39:36 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymfhvzbjs3c7xkjninnhqc5ajrhoyos7mtk2u634h3gylkoxjofa._file
Verdict:
unknown
Similar samples:
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
AsyncRAT
307f004326e684ce02104a8da2db8f3cfa93c4e1ab2d7da025204430d677f75d
AsyncRAT
3d5332d39427063ae210b52204b193c7d813fa69933168de167efbc9d8a24140
AsyncRAT
5b832740ae1f2a5c2c10e37aadd6d0b74d647a9ff853f091a2262ef0ae2c672c
AsyncRAT
8a953841629e0122e04d2b8cd56422a90919139f5d00df5f00b804752ce519cd
AsyncRAT
973ebbfe874f302c2a1becf596b98ee15598919b1c86dcb9c4b078d1b4535b38
AsyncRAT
b4267cab9e3e8255b44e1947b4c6bb40901d9f0654c2d0ab40690851fcacf16c
AsyncRAT
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
AsyncRAT
ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae
AsyncRAT
f542321c002730c6da48e824a8cce1210ea130d4d9809e713fb493b15df6b4c0
AsyncRAT
+ 18 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat spyware family:asyncrat
Link:
https://tria.ge/reports/201023-zbzjgpevwe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads user/profile data of web browsers
Async RAT payload
AsyncRat
Unpacked files
SH256 hash:
c30a7ae42996c5fba92d435a780ba04c4eec3a5f64d5aa7b7c3ecd85a9d74b8a
MD5 hash:
5a3663d7ec27b2889b4f34124e1f69bb
SHA1 hash:
89a71bb5891942c8ee729d64874ade4a6dbcfd2a
Link:
https://www.unpac.me/results/f092d9e6-3424-41d6-9eab-337c3e9b1681/
SH256 hash:
04ee344b543a17f1b4f446d047cd7b3cc4e8816e9a50370c31a725da4f133915
MD5 hash:
76e741bc5f2d7a74739b2832aa7db009
SHA1 hash:
3306d6651b7affa967a7e7a556b1a369e9e283f2
Link:
https://www.unpac.me/results/f092d9e6-3424-41d6-9eab-337c3e9b1681/
SH256 hash:
1648cce519ade340045c83d3cf0cc6f04d1b337933058f24fd03e346fecea00b
MD5 hash:
bd7c7a5d910a85a3a10bba517fb63d1b
SHA1 hash:
8837a48b2fe0edbc0db490a8ad69f7ec5456b97a
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/f092d9e6-3424-41d6-9eab-337c3e9b1681/
Parent samples :
692558730f0958f58d37105b4926fb64fb75245f246ed752078ed576ea555e7b
c30a7ae42996c5fba92d435a780ba04c4eec3a5f64d5aa7b7c3ecd85a9d74b8a
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip e2c0a34c8240a9320db66e65b798a17b852371bf39c3da92096fd825b51b2794

AsyncRAT

Executable exe c30a7ae42996c5fba92d435a780ba04c4eec3a5f64d5aa7b7c3ecd85a9d74b8a

(this sample)

  
Dropped by
MD5 04b81388b0405c73b7a38232a690da28
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74964/
  
Dropped by
SHA256 e2c0a34c8240a9320db66e65b798a17b852371bf39c3da92096fd825b51b2794

Comments