MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7e2522e9de0314bf88eaf726500e09abcaad24a53c6d9fb7848e447a712b7e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7e2522e9de0314bf88eaf726500e09abcaad24a53c6d9fb7848e447a712b7e0
SHA3-384 hash: d5bac997bd5bda17dabeadceb9321dc90d459f19304df8618441a7cccca04c78d116694d5ebf4ba477c1debb8e8d409e
SHA1 hash: 24455133fd6ca1ad0d5d5f6fcab8e3dd91bf2a07
MD5 hash: 58e232f8417c027ec45e2a9b0678e1e6
humanhash: hot-purple-echo-kilo
File name:DAMAC-Floor plan and materials specs.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'357'312 bytes
First seen:2021-08-02 12:00:46 UTC
Last seen:2021-08-02 13:16:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:1kOnHtdqCSi5ofx8DgMfx8Dg6s4HWHeFRAe919pgFTZCOLL:1NdqM5o58DgM58DgSHW+FSg1ngZZCq
Threatray 1'637 similar samples on MalwareBazaar
TLSH T1F655AEBE3D41CDF6C2690275E5CAC89002AE9C1CD153BBDAB666326563F026BDD04CF9
dhash icon 30908a8c8c8a9030 (5 x Formbook, 3 x AsyncRAT)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
185.87.51.159:8808

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.87.51.159:8808 https://threatfox.abuse.ch/ioc/165420/

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DAMAC-Floor plan and materials specs.exe
Verdict:
Malicious activity
Analysis date:
2021-08-02 12:02:47 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/bb02e4c0-a381-420a-a13f-b42050f4ba32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175793/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45cdde0e-2f98-41bb-bc24-6b5b81f2b2c2
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825483
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7e2522e9de0314bf88eaf726500e09abcaad24a53c6d9fb7848e447a712b7e0/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 12:01:08 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7rfelu54ayux6eov5zgkahatk6kvuskkpdnt63yjdsepjysw7qa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
266ff1cf087f8922516f03e2e5853c28efdcbc835b64dc23e7c355a3cc0dc173
AsyncRAT
646b7469b8447ea451720f3f0a3662923655fda17f05d6a995d16f94d4bfde15
AsyncRAT
662198412b44e61f7f0b495b939249c6bc05ebb154407de517b422e09145b19b
AsyncRAT
7797da9505bd2ab985d9b1233977b6b11ab9f0e8da31a47b44e0af23c94af807
AsyncRAT
9d50ad601d3bd5e08d0a7aac1e09dba43330a03ec7c6e253a9afb0eb1138afd0
AsyncRAT
a8534e310ee42756cfc01caf1eeddc8f4bca6e7e7f36de1a90f5c6ccc480e90a
AsyncRAT
a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13
AsyncRAT
dc1a540149dffb968cc641f1770ffb45aaa29f23cd5e19483c474a71cc1737da
AsyncRAT
e830ffa639964fa44135b16ac5a9abb98052bcace0f2a8efc6236fd5e74030df
AsyncRAT
ebd35b3cd174a681f57ec55b37d5a8df1db8c50c27e352912ef611c9dbf4fa39
AsyncRAT
+ 1'627 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat suricata
Link:
https://tria.ge/reports/210802-znhsv92yp2/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
exportmunic007.duckdns.org:6606
exportmunic007.duckdns.org:7707
exportmunic007.duckdns.org:8808
Unpacked files
SH256 hash:
95093ded51c5b2cbcb0a6f7ef84aa01d093925235ba5b6c1dbf91a47c6415d06
MD5 hash:
0f006651f17bf89b8c89ddcdc97ec8ec
SHA1 hash:
a20ac72b4f6268bece7b34b66e7a5fcd1ac3c42b
Link:
https://www.unpac.me/results/9f3cf131-6f31-4266-aafb-7dfbff65b3cb/
SH256 hash:
d7aa833d347ee02b046d7206ddb43f05fd7472145e6ee33cc794811b27c2c901
MD5 hash:
262bf13cbfb3fa0931c5b5d74206c9d0
SHA1 hash:
463f5d71ff47e57402d7e6619b937520ad0d15c6
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/9f3cf131-6f31-4266-aafb-7dfbff65b3cb/
Parent samples :
285643b564416a5b6f530cbbf6d5f1e9d35b4a20c73a0c141c436199b9bfef7b
c7e2522e9de0314bf88eaf726500e09abcaad24a53c6d9fb7848e447a712b7e0
7f551e6a36a2dc54fd7de27d7fee9e553a8177a37ffbb2ef3033b9492e681ab6
SH256 hash:
cfef97ff706312dff4edd998aeee22f1283221631ebb0cc954bebbb701c1465c
MD5 hash:
a0f625a3d3348903f3c902f588c0e4f5
SHA1 hash:
20d1f0b74abe6f500e8c21119f55281926210ac0
Link:
https://www.unpac.me/results/9f3cf131-6f31-4266-aafb-7dfbff65b3cb/
SH256 hash:
c7e2522e9de0314bf88eaf726500e09abcaad24a53c6d9fb7848e447a712b7e0
MD5 hash:
58e232f8417c027ec45e2a9b0678e1e6
SHA1 hash:
24455133fd6ca1ad0d5d5f6fcab8e3dd91bf2a07
Link:
https://www.unpac.me/results/9f3cf131-6f31-4266-aafb-7dfbff65b3cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7e2522e9de0314bf88eaf726500e09abcaad24a53c6d9fb7848e447a712b7e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:silentbuilder_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175793/

Comments