MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cabc274ac3286b10f71d65ba8165a24dd28c654bf20dec7f96b5b71dff3964fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cabc274ac3286b10f71d65ba8165a24dd28c654bf20dec7f96b5b71dff3964fb
SHA3-384 hash: d7097c4d459de8a4572cca94c9c5c5561cee8c70ea0d2b1949d7b561cb184993c981697314cf096a5ea7f3c429586e1f
SHA1 hash: dc1e9c054ebd05803ad604ce371fccaee6ac5807
MD5 hash: 4c9662b4fea4b520169b25fe9617e768
humanhash: minnesota-emma-burger-spaghetti
File name:cabc274ac3286b10f71d65ba8165a24dd28c654bf20dec7f96b5b71dff3964fb
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'484'800 bytes
First seen:2020-11-06 10:39:30 UTC
Last seen:2020-11-07 12:48:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cd6c8cceda8b0e47cf64c5128fde3f69 (17 x Loki, 9 x NanoCore, 8 x AsyncRAT)
ssdeep 24576:LdqOxsk2r38ulhAYcddMaCyQJynnBJHPAj9KUoOYzIo9ULq3:LDCv4mCdSJcf4hKUoOY0uULq3
Threatray 2'394 similar samples on MalwareBazaar
TLSH 5665D02DA2A14837CD632939DC1B57646836BE702F25758E27EF1C489F7D39D3829283
Reporter seifreed
Tags:AsyncRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
52
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-9784581-0
Create hunting rule

Win.Malware.Generic-9784689-0
Create hunting rule

Win.Trojan.Generickdz-9784846-0
Create hunting rule

Win.Trojan.Netwire-9784905-0
Create hunting rule

SecuriteInfo.com.Artemis0194C548A530.28501.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Deleting a recently created file
Connection attempt
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/522504
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310391 Sample: 73k4dRFewf Startdate: 06/11/2020 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AntiVM_3 2->45 47 Yara detected AsyncRAT 2->47 49 3 other signatures 2->49 8 73k4dRFewf.exe 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 51 Detected unpacking (changes PE section rights) 8->51 53 Detected unpacking (creates a PE file in dynamic memory) 8->53 55 Detected unpacking (overwrites its own PE header) 8->55 57 5 other signatures 8->57 13 73k4dRFewf.exe 8->13         started        16 notepad.exe 1 8->16         started        18 73k4dRFewf.exe 11->18         started        process5 signatures6 20 73k4dRFewf.exe 2 13->20         started        23 notepad.exe 1 13->23         started        65 Drops VBS files to the startup folder 16->65 67 Delayed program exit found 16->67 69 Writes to foreign memory regions 18->69 71 Allocates memory in foreign processes 18->71 73 Maps a DLL or memory area into another process 18->73 25 73k4dRFewf.exe 18->25         started        28 notepad.exe 1 18->28         started        process7 dnsIp8 39 52.233.66.100, 49742, 49748, 49763 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->39 41 127.0.0.1 unknown unknown 20->41 59 Writes to foreign memory regions 25->59 61 Allocates memory in foreign processes 25->61 63 Maps a DLL or memory area into another process 25->63 30 73k4dRFewf.exe 3 25->30         started        33 notepad.exe 1 25->33         started        signatures9 process10 file11 35 C:\Users\user\AppData\...\73k4dRFewf.exe.log, ASCII 30->35 dropped 37 C:\Users\user\AppData\Roaming\...\Skype.vbs, ASCII 33->37 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cabc274ac3286b10f71d65ba8165a24dd28c654bf20dec7f96b5b71dff3964fb/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 22:17:20 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zk6coswdfbvrb5y5mw5iczncjxjiyzkl6ig6y74www3r37zzmt5q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0b84a62fb1d8d120b92b316c02bdf18af2de5c0c5cd09f55b66e24899a4a6360
AsyncRAT
0dea20e41047659c9a7a7ef93599d0c918fe26e2322db8fb3e9ef333c5a48ca2
AsyncRAT
4075e5cedf262f587538979cd6d62ff4b0fc5bdf7f9a4b770ae9e297ea7c9fcc
AsyncRAT
4124fa166c07644eb29d7b813889a90795f9f1448f7cae2040a1375006748617
AsyncRAT
4457d49095a509a84ce5c9796b7470c03a95638e1f628882cb8f6331b0153efb
AsyncRAT
56f27a73c491313639665758a863f1d00871d0b37077a03bfd5d50a4689d273d
AsyncRAT
577e9a280fa8118a011ed908623c6cf4eafd923d59e4e60ca450932db5322cf4
AsyncRAT
e3a18338921238575f176f679030eac3352c24066d8da0602b3c8b4e75bb1bad
AsyncRAT
e45aa38e4f734a6b5e9d8e55d3b71b16e4ae389eb7c857bbdaa98fb47e1d9ef3
AsyncRAT
e678a72b6f30f69daafd945543d4bb3e58152c37f8a7b883ce96b9ddf1c1c482
AsyncRAT
+ 2'384 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
cabc274ac3286b10f71d65ba8165a24dd28c654bf20dec7f96b5b71dff3964fb
MD5 hash:
4c9662b4fea4b520169b25fe9617e768
SHA1 hash:
dc1e9c054ebd05803ad604ce371fccaee6ac5807
Link:
https://www.unpac.me/results/79a6ceed-0bf1-493c-a5cf-b0ab07d0140e/
SH256 hash:
1d2957a1490a2223e3516b76486aece16871caed5d5278adbe3864347d77aa10
MD5 hash:
fd050a4850c93f30d89689423e17a04b
SHA1 hash:
c81219327ca0ff489d4a024c9cc16618a9a1778c
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/79a6ceed-0bf1-493c-a5cf-b0ab07d0140e/
Parent samples :
cabc274ac3286b10f71d65ba8165a24dd28c654bf20dec7f96b5b71dff3964fb
46bf7a6257a12bb2e56d9770eebc93606d9cf3f1f3af49ba987ebfef0ddb6216
2cd90fecf4222117ecf6478b1ead6bfa0d059303949f0cd91654b9b92d78ec09
ac8fcffe7966af957a58b52c744c026eff7acc393ffbc57d0fe9e8c2d901f68e
fa6fd44de656f41293993f86f047f08dd0e354ddae23f48f24c1eb4666565de6
727a720f0ed8942d28c1cf7e7185f868706dcd2693f2868e6b5932f382020a39
SH256 hash:
8ea91752f5c7f35ac556ad9eeb50733e6a4e68b69520a834a4eca3f4d3dc857a
MD5 hash:
061ea5e590055a6c932b383fcaf2b055
SHA1 hash:
d9dc6848a6d71101b786df1bd97439f0a70cb8f3
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/79a6ceed-0bf1-493c-a5cf-b0ab07d0140e/
Parent samples :
cabc274ac3286b10f71d65ba8165a24dd28c654bf20dec7f96b5b71dff3964fb
46bf7a6257a12bb2e56d9770eebc93606d9cf3f1f3af49ba987ebfef0ddb6216
2cd90fecf4222117ecf6478b1ead6bfa0d059303949f0cd91654b9b92d78ec09
ac8fcffe7966af957a58b52c744c026eff7acc393ffbc57d0fe9e8c2d901f68e
fa6fd44de656f41293993f86f047f08dd0e354ddae23f48f24c1eb4666565de6
727a720f0ed8942d28c1cf7e7185f868706dcd2693f2868e6b5932f382020a39
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments