MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb8a3020513f5f20c9bf0024baa3e328fc8d54794b9b94f7ddc0e2bac208945f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb8a3020513f5f20c9bf0024baa3e328fc8d54794b9b94f7ddc0e2bac208945f
SHA3-384 hash: 5830624d4881225cdfdcc343d5faefddd704dac36f027d4173303bb025a21605dcf67aa7660b2cd81156cdd1bd37a5bc
SHA1 hash: 92b1e5a89388e4af8629d9c5b7c8dd9dd8b52e12
MD5 hash: 84d550bc3adcb845f8ff3077f54b0b7b
humanhash: equal-magnesium-violet-fillet
File name:ProForma2020.0728.0986.DOCX.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:405'504 bytes
First seen:2020-07-29 05:19:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:o9dPiPFmX6DsEskWvTB3AMgtAbDAJKetUaJFbwqHpCkTAGPpRpyly//c6pT0jx4a:oKcTEsks3RgosltUa7HseAGPpScAP
Threatray 334 similar samples on MalwareBazaar
TLSH 0084AE59BB90E917C3BE8135E2DD5518CFFCC196526BE3256844A3FB2AC33A3E4051B2
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: kimberlyijueter127.0.0.1
Sending IP: 178.239.162.27
From: booking@carltonhotel.site
Subject: Potrditev naročila / ProForma
Attachment: ProForma2020.0728.0986.DOCX.img (contains "ProForma2020.0728.0986.DOCX.exe")

AsyncRAT C2:
185.140.53.11:9845

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-28T20:56:03Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34110/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Sending a TCP request to an infection source
Result
Threat name:
AgentTesla AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401171
Signature
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252797 Sample: ProForma2020.0728.0986.DOCX.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 Sigma detected: Scheduled temp file as task from temp location 2->61 63 10 other signatures 2->63 10 ProForma2020.0728.0986.DOCX.exe 5 2->10         started        process3 file4 37 C:\Users\user\AppData\...\&startupname&.exe, PE32 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmp58A3.tmp, XML 10->39 dropped 41 C:\...\ProForma2020.0728.0986.DOCX.exe.log, ASCII 10->41 dropped 75 Injects a PE file into a foreign processes 10->75 77 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->77 14 ProForma2020.0728.0986.DOCX.exe 17 4 10->14         started        18 schtasks.exe 1 10->18         started        signatures5 process6 dnsIp7 53 185.140.53.11, 49703, 49705, 49706 DAVID_CRAIGGG Sweden 14->53 55 pastebin.com 104.23.99.190, 443, 49702 CLOUDFLARENETUS United States 14->55 43 C:\Users\user\AppData\Local\Temp\nbegpp.exe, PE32 14->43 dropped 20 cmd.exe 1 14->20         started        23 conhost.exe 18->23         started        file8 process9 signatures10 73 Suspicious powershell command line found 20->73 25 powershell.exe 14 20->25         started        28 conhost.exe 20->28         started        process11 dnsIp12 51 192.168.2.1 unknown unknown 25->51 30 nbegpp.exe 1 25->30         started        process13 signatures14 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 30->79 81 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 30->81 83 Injects a PE file into a foreign processes 30->83 33 nbegpp.exe 2 30->33         started        process15 dnsIp16 45 smtp.anjosetrindade-adv.pt 33->45 47 smtp.securemail.pro 81.88.48.66, 49708, 587 REGISTER-ASIT Italy 33->47 49 smtp-pt.securemail.pro 33->49 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->65 67 Tries to steal Mail credentials (via file access) 33->67 69 Tries to harvest and steal ftp login credentials 33->69 71 Tries to harvest and steal browser information (history, passwords, etc) 33->71 signatures17
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cb8a3020513f5f20c9bf0024baa3e328fc8d54794b9b94f7ddc0e2bac208945f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 05:21:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zofdaicrh5psbsn7aaslvi7dfd6i2vdzjonzj565ydrlvqqisrpq._file
Verdict:
suspicious
Similar samples:
0650a30b2e54bc824ad7c986606f98d127e11dc0f401ad6465deb77e1ffb3f01
AsyncRAT
5b21a902c6ecee945467bf474131a618a7638e1757807f268300b21662e3fb12
AsyncRAT
70b1ba0ece1eaa61f8946de73d8528caff86b5255ba2fe05e15f5b507db5c8fc
AsyncRAT
82b29aea19d46b3da79de8efa015b73dd3589353e16b73579820ab8a1a0ec077
AsyncRAT
89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b
AsyncRAT
8a0779333aa240cc2fd83c8e32febca648d04c2e01db732fbc0e6180495b7ae9
AsyncRAT
92a7c4b4694b3849c97651e3c5713eedbf3e9a5f157724d6ca9047b05ed0e3d9
AsyncRAT
c8bc2bde7ab29368fc3ac5e32367bf63156514940465721908846bcc353eec27
AsyncRAT
cb2b081b348a1b1838d98c802b3789d4d17b1992851dc317fc1df7a1c4a90f21
AsyncRAT
e509b23e338968bd1f1242df28436bf1c954d91b2410654d55d3812078eda6f8
AsyncRAT
+ 324 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat family:asyncrat spyware
Link:
https://tria.ge/reports/200729-t6xmgn988e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/cb8a3020513f5f20c9bf0024baa3e328fc8d54794b9b94f7ddc0e2bac208945f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

img 9a983f8d1243d8244b3bc3a4324ad32d9539a8b288febd68a901de3b6727c2b0

AsyncRAT

Executable exe cb8a3020513f5f20c9bf0024baa3e328fc8d54794b9b94f7ddc0e2bac208945f

(this sample)

  
Dropped by
MD5 4a432143a95fc810646f5c3f2e4f9634
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9a983f8d1243d8244b3bc3a4324ad32d9539a8b288febd68a901de3b6727c2b0
Cape
Cape
https://www.capesandbox.com/analysis/34110/

Comments