MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c7a647398282460a21fe3334a15d327c975c23cfdf4e08028c440b04b0404b73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AsyncRAT
Vendor detections: 12
| SHA256 hash: | c7a647398282460a21fe3334a15d327c975c23cfdf4e08028c440b04b0404b73 |
|---|---|
| SHA3-384 hash: | 167614782c4d6dbe48cf548c72ce8819d7268bd8ed31a081cfc01d8d4cf19a842e7c2c74b42c2291186b212ba01afe8e |
| SHA1 hash: | d26d65ae6cad14cbdeb1edfdca9d3eba3dee1c5c |
| MD5 hash: | 0afcb9f210ad0fbae66276f583a0d04b |
| humanhash: | georgia-jig-romeo-avocado |
| File name: | ORDER-210067.xls.exe |
| Download: | download sample |
| Signature | AsyncRAT |
| File size: | 1'216'237 bytes |
| First seen: | 2021-05-04 07:45:50 UTC |
| Last seen: | 2021-05-04 08:01:07 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | eaf850221ebb92188ccb4c061d41387b (1 x AsyncRAT, 1 x CoinMiner, 1 x CoinMiner.XMRig) |
| ssdeep | 12288:DMcf1rOmTgbOabObybOEcUFCw4z3Gzotx8wuVIeprv3:FN3WFJ4zduVIoD |
| Threatray | 4'322 similar samples on MalwareBazaar |
| TLSH | 7745B517BC4C7D8DF9927AB62D89B2295810FC34F628079B34C1BD0AE578397A077369 |
| Reporter |  abuse_ch |
| Tags: | AsyncRAT exe RAT |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 46.243.221.40:2703 | https://threatfox.abuse.ch/ioc/28918/ |
Intelligence
File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Launching a process
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Detection:
asyncrat
Threat name:
Win32.Trojan.Caynamer
Status:
Malicious
First seen:
2021-05-04 07:46:12 UTC
AV detection:
19 of 47 (40.43%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
asyncrat
Similar samples:
+ 4'312 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Score:
10/10
Tags:
family:asyncrat persistence rat
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:49746
chongmei33.publicvm.com:49703
chongmei33.publicvm.com:46943
185.165.153.116:2703
185.165.153.116:49746
185.165.153.116:49703
185.165.153.116:46943
54.37.36.116:2703
54.37.36.116:49746
54.37.36.116:49703
54.37.36.116:46943
185.244.30.92:2703
185.244.30.92:49746
185.244.30.92:49703
185.244.30.92:46943
dongreg202020.duckdns.org:2703
dongreg202020.duckdns.org:49746
dongreg202020.duckdns.org:49703
dongreg202020.duckdns.org:46943
178.33.222.241:2703
178.33.222.241:49746
178.33.222.241:49703
178.33.222.241:46943
rahim321.duckdns.org:2703
rahim321.duckdns.org:49746
rahim321.duckdns.org:49703
rahim321.duckdns.org:46943
79.134.225.92:2703
79.134.225.92:49746
79.134.225.92:49703
79.134.225.92:46943
37.120.208.36:2703
37.120.208.36:49746
37.120.208.36:49703
37.120.208.36:46943
178.33.222.243:2703
178.33.222.243:49746
178.33.222.243:49703
178.33.222.243:46943
87.98.245.48:2703
87.98.245.48:49746
87.98.245.48:49703
87.98.245.48:46943
chongmei33.publicvm.com:49746
chongmei33.publicvm.com:49703
chongmei33.publicvm.com:46943
185.165.153.116:2703
185.165.153.116:49746
185.165.153.116:49703
185.165.153.116:46943
54.37.36.116:2703
54.37.36.116:49746
54.37.36.116:49703
54.37.36.116:46943
185.244.30.92:2703
185.244.30.92:49746
185.244.30.92:49703
185.244.30.92:46943
dongreg202020.duckdns.org:2703
dongreg202020.duckdns.org:49746
dongreg202020.duckdns.org:49703
dongreg202020.duckdns.org:46943
178.33.222.241:2703
178.33.222.241:49746
178.33.222.241:49703
178.33.222.241:46943
rahim321.duckdns.org:2703
rahim321.duckdns.org:49746
rahim321.duckdns.org:49703
rahim321.duckdns.org:46943
79.134.225.92:2703
79.134.225.92:49746
79.134.225.92:49703
79.134.225.92:46943
37.120.208.36:2703
37.120.208.36:49746
37.120.208.36:49703
37.120.208.36:46943
178.33.222.243:2703
178.33.222.243:49746
178.33.222.243:49703
178.33.222.243:46943
87.98.245.48:2703
87.98.245.48:49746
87.98.245.48:49703
87.98.245.48:46943
Unpacked files
SH256 hash:
2eb8c179af45ee7720686011db90c9636782e5fe666b32c77cf69435ff5c873c
MD5 hash:
d49f602984a50fc612b9b9c67f653e36
SHA1 hash:
4c59952c54f553ed43febb3ffc0151b01f91ec68
Detections:
win_asyncrat_w0
SH256 hash:
f11470826fa4694abb192997374378fbb46f6abd7b7b22f1ac6026c55440a9fb
MD5 hash:
02209b7c1e3f69e6edbc541abc4055ac
SHA1 hash:
037267d864357432f1ae92c85d43274b77c562a5
SH256 hash:
c7a647398282460a21fe3334a15d327c975c23cfdf4e08028c440b04b0404b73
MD5 hash:
0afcb9f210ad0fbae66276f583a0d04b
SHA1 hash:
d26d65ae6cad14cbdeb1edfdca9d3eba3dee1c5c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | asyncrat |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect AsyncRat in memory |
| Reference: | internal research |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse |
|---|---|
| Author: | ditekSHen |
| Description: | Detects file containing reversed ASEP Autorun registry keys |
| Rule name: | pe_imphash |
|---|
| Rule name: | Reverse_text_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Reverse text detected |
| Rule name: | win_asyncrat_j1 |
|---|---|
| Author: | Johannes Bader @viql |
| Description: | detects AsyncRAT |
| Rule name: | win_asyncrat_w0 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect AsyncRat in memory |
| Reference: | internal research |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [B0023] Execution::Install Additional Program