MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c43676781fca6b654af09543db51c110a90669ab8ebc3e3958f97457674f21ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c43676781fca6b654af09543db51c110a90669ab8ebc3e3958f97457674f21ab
SHA3-384 hash: d316f39b32e6145ebee2a14fcd68b3ff8c6951d342ff9f1dcee2c0a6323c12ebabd00ed9cf8132dfeae97bfb26c6db10
SHA1 hash: 133879a2f91d46ba920568130974c29fa7f166f5
MD5 hash: c0700fae736a518608e228bf6ca45728
humanhash: coffee-earth-hamper-cardinal
File name:c0700fae736a518608e228bf6ca45728.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:141'824 bytes
First seen:2022-08-06 14:30:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 26d0d990f4f5c7f4c5fbef81111aec3e (1 x AsyncRAT)
ssdeep 3072:OfGHHnlpLo6cDGz+hMnYWCBOFZMu0v9AI4/:PHHnLo6cKqhMYWCBOFZMzVAI4/
Threatray 5'106 similar samples on MalwareBazaar
TLSH T1CED39FE423B90C43C857E0B2EDB1FDF7A033701BD9DA28D8966993A8195F6345A5371C
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.5% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
124.222.98.55:3000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
124.222.98.55:3000 https://threatfox.abuse.ch/ioc/841654/

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c0700fae736a518608e228bf6ca45728.exe
Verdict:
No threats detected
Analysis date:
2022-08-06 14:32:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/722a8ef8-6797-47db-92fc-cda300c66830

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296874/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28240/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug conti
Link:
https://www.filescan.io/uploads/62ee7b9eb6d6be9f01cca2a8/reports/865cead7-b6d0-4963-b815-d11b4362ab3e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0721b313-644f-47e0-985b-6443ae5eeff5
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1047296
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files with benign system names
Found API chain indicative of debugger detection
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679790 Sample: imzqmBM4Rl.exe Startdate: 06/08/2022 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 5 other signatures 2->44 7 imzqmBM4Rl.exe 7 2->7         started        11 svchost.exe 3 2->11         started        process3 file4 30 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 7->30 dropped 32 C:\Users\user\AppData\...\imzqmBM4Rl.exe.log, ASCII 7->32 dropped 48 Found API chain indicative of debugger detection 7->48 50 Drops PE files with benign system names 7->50 13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        52 Antivirus detection for dropped file 11->52 54 Multi AV Scanner detection for dropped file 11->54 signatures5 process6 signatures7 18 svchost.exe 2 13->18         started        22 timeout.exe 1 13->22         started        24 conhost.exe 13->24         started        56 Uses schtasks.exe or at.exe to add and modify task schedules 15->56 26 conhost.exe 15->26         started        28 schtasks.exe 1 15->28         started        process8 dnsIp9 34 124.222.98.55, 3000, 49742 JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR China 18->34 36 192.168.2.1 unknown unknown 18->36 46 System process connects to network (likely due to code injection or exploit) 18->46 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c43676781fca6b654af09543db51c110a90669ab8ebc3e3958f97457674f21ab/
Threat name:
Win64.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2022-08-02 07:43:17 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 25 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yq3hm6a7zjvwksxqsvb5wuobccuqm2nlr26d4oky7f2foz2pegvq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
147acbbf007be667ae676b798af1cc0c6ef598d510e2223044ca241225d081f9
AsyncRAT
162c17601f3f2d8eda02546e6ee08cabed5f01267fb75224073a3ac21f0ca3dc
AsyncRAT
8fa6091ecf36c321aa568e76eab235f21ff0ca7e5906d75cb8e6c26abd2ef656
AsyncRAT
9f5ff17f83e1324e818db69e26d1f9adb3b4c1c0d31e3768ef1a6fdf1239726e
AsyncRAT
a06ac68a934a22917663756b368cf8ecd584c868cc1a8b8dc306b232ff6494ae
AsyncRAT
c7ccd6379627a10943964b592a5f38764ae1d0d0d39d17760940871fb3cd2958
AsyncRAT
cdd4ab01797a178b70303381028cb419a8550a15fa75bdb40f6d56bc289b7dcf
AsyncRAT
e80fa82616da921b5f368edb0dea27f5a5ade7a3eb55ca89b32438c1900d7d34
AsyncRAT
+ 5'096 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/220806-rvpn5sffer/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
124.222.98.55:3000
Unpacked files
SH256 hash:
c43676781fca6b654af09543db51c110a90669ab8ebc3e3958f97457674f21ab
MD5 hash:
c0700fae736a518608e228bf6ca45728
SHA1 hash:
133879a2f91d46ba920568130974c29fa7f166f5
Link:
https://www.unpac.me/results/6e187d9d-bca5-4938-8914-a366e1935116/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c43676781fca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c43676781fca6b654af09543db51c110a90669ab8ebc3e3958f97457674f21ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296874/

Comments