MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7bdbb500c40f13f255bcd55558dcbd3a059a6a7fb886df328a53fdc454a3327. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7bdbb500c40f13f255bcd55558dcbd3a059a6a7fb886df328a53fdc454a3327
SHA3-384 hash: f6d74a81f7b1b1f5efdd95342138b0c150cb60e82683fe77369956bfe5a6bcd7bd5298414558b28c58deda5f73fc0191
SHA1 hash: a00efd798b7c083a3d6b841722d2b1e25bbdb95a
MD5 hash: 1e2d477a60ae105836fe2bb84843cd26
humanhash: beer-chicken-beryllium-lake
File name:POIN00043INBOMSpecifications Sheet^^^^^dwg.sc.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:340'992 bytes
First seen:2022-03-29 09:50:08 UTC
Last seen:2022-03-29 10:41:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'757 x AgentTesla, 19'665 x Formbook, 12'254 x SnakeKeylogger)
ssdeep 768:Ao6Qg2ZzEjss2VSg1I1cn0sspAgpq8hLyg1uMN0+dzsRs+eEr:CQ7qPpqOLy0uyL+fr
Threatray 1'815 similar samples on MalwareBazaar
TLSH T17274EA5A7A745132ED00CA3419F29E15D2EBEE6D2BE0551E24D8F66D1B322FE8F039C1
File icon (PE):PE icon
dhash icon 7068ccb0b2b2b2f8 (129 x AgentTesla, 54 x SnakeKeylogger, 28 x AveMariaRAT)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
192.30.89.51:29843

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.30.89.51:29843 https://threatfox.abuse.ch/ioc/457399/

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/259105/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FNE.genEldorado.9993.10172.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6242d688a19c649412a52130/reports/59d3a84c-cdf9-4662-b2ae-285bc77c9c92/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d81a95a3-03d1-4454-b5d0-2e561e1c45f5
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/966573
Signature
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 599060 Sample: POIN00043INBOMSpecification... Startdate: 29/03/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 8 other signatures 2->53 7 POIN00043INBOMSpecifications Sheet^^^^^dwg.sc.exe 16 7 2->7         started        12 Wmfbigv.exe 14 2 2->12         started        14 Wmfbigv.exe 2 2->14         started        process3 dnsIp4 37 s22.filetransfer.io 188.114.97.7, 443, 49752, 49753 CLOUDFLARENETUS European Union 7->37 39 filetransfer.io 7->39 25 C:\Users\user\AppData\Roaming\...\Wmfbigv.exe, PE32 7->25 dropped 27 C:\Users\user\...\Wmfbigv.exe:Zone.Identifier, ASCII 7->27 dropped 29 POIN00043INBOMSpec...^^^^^dwg.sc.exe.log, ASCII 7->29 dropped 55 Writes to foreign memory regions 7->55 57 Injects a PE file into a foreign processes 7->57 16 RegAsm.exe 14 2 7->16         started        19 cmd.exe 1 7->19         started        41 188.114.96.7, 443, 49802, 49806 CLOUDFLARENETUS European Union 12->41 43 filetransfer.io 12->43 59 Machine Learning detection for dropped file 12->59 45 filetransfer.io 14->45 file5 signatures6 process7 dnsIp8 31 192.30.89.51, 29843, 49804 CLOUDSINGULARITYCA Canada 16->31 33 pastebin.com 104.23.98.190, 443, 49803 CLOUDFLARENETUS United States 16->33 35 192.168.2.1 unknown unknown 16->35 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7bdbb500c40f13f255bcd55558dcbd3a059a6a7fb886df328a53fdc454a3327/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-29 09:51:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y663wuamidyt6jk3zvkvldol2oqftjvh7oeg34ziuu75yrkkgmtq._file
Verdict:
malicious
Similar samples:
279b0de566cfa70c9f15ff2499b62a12d47d627eaa7912c719f57443e8eadd49
AsyncRAT
8342c94ddfd4cca232e9d1cd5faed48fdce02a694b062606b938401b502a0c30
AsyncRAT
838a8fab72d527c2817b806f6978e6e36de1a101d89646855704b5a0ae044db8
AsyncRAT
879ff8af101103d2387bbef6143dc2b4e233c7436d19e116c5fd78e132cfd05d
AsyncRAT
c2af46184ff730426a4867787fd7fb15737a3144f999b18d7b2fe0c67c0927a7
AsyncRAT
c39a8dafb70b4adfb21ca557c23f3b81fc965c204bb70d515f8903f3205b72b7
AsyncRAT
f3898ca67fa60276c5c6ace2385d54120cd792943c98e865fbdeb020cb5d4ac9
AsyncRAT
+ 1'805 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/220329-lvgqmshban/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unpacked files
SH256 hash:
c7bdbb500c40f13f255bcd55558dcbd3a059a6a7fb886df328a53fdc454a3327
MD5 hash:
1e2d477a60ae105836fe2bb84843cd26
SHA1 hash:
a00efd798b7c083a3d6b841722d2b1e25bbdb95a
Link:
https://www.unpac.me/results/b2faedbb-0350-4ea7-b2ff-66c5f93e1b2f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c7bdbb500c40f13f255bcd55558dcbd3a059a6a7fb886df328a53fdc454a3327

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/259105/

Comments