MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c90d02ad5c11d80557d8bb0c7e97a3a10f59d78bfae7746b06e646d7757aec3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c90d02ad5c11d80557d8bb0c7e97a3a10f59d78bfae7746b06e646d7757aec3f
SHA3-384 hash: 52646cfded6133a208e34f03c1a670235752deb5a758923ccd4e23306769a28d264d1cbb9b965e312bf9f7630e5d03b9
SHA1 hash: 8b297fe371155bfad93c530d3110a803041bf591
MD5 hash: 46af3c410522637c111c2287f3083870
humanhash: xray-stairway-arizona-pasta
File name:INCOMING_VOICEMAIL_VAW.EXE
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:535'040 bytes
First seen:2022-02-04 05:34:38 UTC
Last seen:2022-02-04 07:52:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:AwMT+R/4JOvrbJA6KEE4FTkluwSICX4gDM15liiDNHQ5d6Q/EisH7yLjn1TlLPHi:AwwUAJOvr9AxEE4FTkluwSICX4gDM153
Threatray 473 similar samples on MalwareBazaar
TLSH T136B48D68EBD1B480E9290936B4FE52306333F5F24623C9767B566BB10757E3E6D84CA0
File icon (PE):PE icon
dhash icon 8084aeacaeae8480 (6 x AsyncRAT)
Reporter cocaman
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INCOMING_VOICEMAIL_VAW.EXE
Verdict:
Malicious activity
Analysis date:
2022-02-04 05:46:05 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/95b8c8e9-dc88-480d-931f-49a3b7951822

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/232843/
Detection(s):
SecuriteInfo.com.Typical_Malware_String_Transforms.25527.5927.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61fcbb0da0f6a794b3380194/reports/848c3d0b-794a-4139-b258-9397a8ca028c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/91bca483-f771-4ff6-ab07-9aec5ddfdf91
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933852
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c90d02ad5c11d80557d8bb0c7e97a3a10f59d78bfae7746b06e646d7757aec3f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 05:35:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zegqflk4chmakv6yxmgh5f5duehvtv4l7ltxi2yg4zdno5l25q7q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
32b7e2037c9da21a3ee442f22c3c16fa151e1ead4cbcb481db3ecf732f70bb7a
AsyncRAT
5fa26640f035ff66988a56119a4beec19dafb507fc24f8eae6d369f4d777132f
AsyncRAT
7f4038057a5f22730f40129362cda67e5cd01417b55da09110ef60920e64c0c7
AsyncRAT
8639d94c28d1840858ff14f8d7cab9638d4b8c417897237089d49099c55eb94e
AsyncRAT
affd6e89b3357f6a8418ceb96c5a101eb38ea0af16b2d8a0ac256459130740ff
AsyncRAT
beec2c810aca784b885ecf892f121f12c9c404795563236697b9de705fb7b233
AsyncRAT
c74b4e185e035d9f08e8ba2aa83e76b27d1aa9dad31d660b2e278c74e8fd3a5f
AsyncRAT
cc800e95f94e83d4b409be62e262a3ee0d55321d4d12e03897edc1be40afe6d8
AsyncRAT
f9da50e312fa2e25247a7caf3ca482a2dd55a743bf246d99692bd4a0f0148f2c
AsyncRAT
+ 463 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/220204-f97mqaege9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Async RAT payload
AsyncRat
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/0c14a8aa-8ff4-469e-bbc3-9b6d420dc948/
SH256 hash:
aef1fbee71e171e707e3ae68335149521eaf837a4c7924344026c827be84ead5
MD5 hash:
f574c78e05a5700893e17a034c282146
SHA1 hash:
2c0043e305cd4d4fd0054d76c331bd5769a9d354
Link:
https://www.unpac.me/results/0c14a8aa-8ff4-469e-bbc3-9b6d420dc948/
SH256 hash:
c90d02ad5c11d80557d8bb0c7e97a3a10f59d78bfae7746b06e646d7757aec3f
MD5 hash:
46af3c410522637c111c2287f3083870
SHA1 hash:
8b297fe371155bfad93c530d3110a803041bf591
Link:
https://www.unpac.me/results/0c14a8aa-8ff4-469e-bbc3-9b6d420dc948/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c90d02ad5c11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c90d02ad5c11d80557d8bb0c7e97a3a10f59d78bfae7746b06e646d7757aec3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

img 8686d4ecfd5fc57013850e3e6569a112abeb900bb7d7ceb757a86997b25214fe

AsyncRAT

Executable exe c90d02ad5c11d80557d8bb0c7e97a3a10f59d78bfae7746b06e646d7757aec3f

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/232843/
  
Dropped by
SHA256 8686d4ecfd5fc57013850e3e6569a112abeb900bb7d7ceb757a86997b25214fe

Comments