MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc63001c78b8e92131da07d0dfe03a780c02065bcc9598b6841da6fb67b96b51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc63001c78b8e92131da07d0dfe03a780c02065bcc9598b6841da6fb67b96b51
SHA3-384 hash: 2466f10cff14acf5602c9cbf4b9e38ecbbad1a0fb608a10b9abb6edbcfea1544c90c13619188f8a0dbd286a87c818c57
SHA1 hash: bf9d90623fe34f5e0df5f4cb1124d574205a4699
MD5 hash: ab4d7db428fa6f68c4f0d17d79349827
humanhash: robin-failed-ceiling-cardinal
File name:Scancopy06282022001.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:773'120 bytes
First seen:2022-06-28 16:39:21 UTC
Last seen:2022-06-28 19:39:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:3AG6siiPaXFv/ApcSrme2nyu7LTntl+yVQmFK:3iiPaXFv/AabJyu7Lf+yV9K
Threatray 1'213 similar samples on MalwareBazaar
TLSH T1F9F49E1867E8AE97C4AF437EF4512A194375F204EB57EB4B6398B0F93C92394DE50283
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 00ccd4d4d0c8d400 (7 x Formbook, 2 x Loki, 1 x NanoCore)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
212.192.241.130:8808

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.192.241.130:8808 https://threatfox.abuse.ch/ioc/719830/

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283998/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62bb2ee5cd5fc77b1d5184c7/reports/a0efacee-5bfe-41d5-9f36-34deb06dba15/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11423a36-d5fc-405c-86ee-8889bf14a6a1
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021394
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc63001c78b8e92131da07d0dfe03a780c02065bcc9598b6841da6fb67b96b51/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 16:40:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrrqahdyxduscmo2a7in7yb2pagaebs3zskzrnuedwtpwz5znniq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e
AsyncRAT
240a0d83266f5f28e7068ddcccdbb6e1a495b0543cebf903bb5c0ac4958639aa
AsyncRAT
47767c3479978a5ff02ff13b83076944f3b88c328b4446bceb601b7e48c3df86
AsyncRAT
4d3e4660aa4786dc407247255a54d403de68626337bbb814b14253838d5c075c
AsyncRAT
566e9322b2fd0fdd5263c23f128a166571b04e15a7626a1a78216a07c589f80e
AsyncRAT
577fb88c1647462cc74134947f959c3ab64519ef0d94c87c241a17acbbdfb3c3
AsyncRAT
6124faef534c43b40607b85ffc1798cb3064d7eb2239422d2b35826a6de5e3ee
AsyncRAT
805349748fac13914897312f803dddd30c94c64287016ce9f0ace62aaddc752e
AsyncRAT
9e61912502dcecae6db836a707146536ea7fbb1dee0ac462a6bc27ac8c25109d
AsyncRAT
+ 1'203 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat suricata
Link:
https://tria.ge/reports/220628-t6h2vaaham/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
212.192.241.130:6606
212.192.241.130:7707
212.192.241.130:8808
mineawrtes.ddns.net:6606
mineawrtes.ddns.net:7707
mineawrtes.ddns.net:8808
Unpacked files
SH256 hash:
5723367d7cd48b98eb468740ee30085b10bfa3d6a9774e36936e6026aa58af05
MD5 hash:
ccb0686ddfcd782f6adaab81f29a9348
SHA1 hash:
fb2138780442d54c9b367ae901c7150c1d21f087
Link:
https://www.unpac.me/results/77acd5c4-1d56-4abb-aa58-37a8a2957a85/
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/77acd5c4-1d56-4abb-aa58-37a8a2957a85/
SH256 hash:
d9af58d64baa89cdf0f079e8d7a9c97572c1e01bebf75efedf253770f7e0c01b
MD5 hash:
aaa68c82af4f128f4d91ae1f7990ddba
SHA1 hash:
bda9e80a18eed1ef0d80446114c5e59c928af6cf
Link:
https://www.unpac.me/results/77acd5c4-1d56-4abb-aa58-37a8a2957a85/
SH256 hash:
4acdb7dfd2fe0a7413398c3529deeb3d9fd8aa756ad3f3ad41e796e85fd1b493
MD5 hash:
ef4df8823c395583c02f132db12d5aaa
SHA1 hash:
1eca9e7b69097c0a12a71687ef900d8fd14241a4
Detections:
win_asyncrat_w0
Create hunting rule
AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/77acd5c4-1d56-4abb-aa58-37a8a2957a85/
SH256 hash:
5b63485a833b0fca87a737a7c60acab595fa9557e55b8363d4507b15ba6e3386
MD5 hash:
bc2f18469308b61dce3707f62f151ae1
SHA1 hash:
03b9d32ae2fa33df3b4933535b6a8de909f57e41
Link:
https://www.unpac.me/results/77acd5c4-1d56-4abb-aa58-37a8a2957a85/
SH256 hash:
cc63001c78b8e92131da07d0dfe03a780c02065bcc9598b6841da6fb67b96b51
MD5 hash:
ab4d7db428fa6f68c4f0d17d79349827
SHA1 hash:
bf9d90623fe34f5e0df5f4cb1124d574205a4699
Link:
https://www.unpac.me/results/77acd5c4-1d56-4abb-aa58-37a8a2957a85/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc63001c78b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc63001c78b8e92131da07d0dfe03a780c02065bcc9598b6841da6fb67b96b51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283998/

Comments