MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd67ef7107328d363f55244c2f55fd3bd678da528c77f7d71eaca939acb2f092. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd67ef7107328d363f55244c2f55fd3bd678da528c77f7d71eaca939acb2f092
SHA3-384 hash: 07e473574930e2f3bdbbd518859455f65be8fad39a79214ed3dcca1448d983132a0c5a9fef4463bb6de6e725d6375eaa
SHA1 hash: a26b70207bf3579b37b70ac7fe88e33f4abe199e
MD5 hash: 4b496edda65eac1e6579252e378bcb59
humanhash: robert-sad-yellow-hot
File name:PO-EG-21-079-(g2energy).xlsx.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:319'488 bytes
First seen:2022-01-07 14:40:28 UTC
Last seen:2022-01-07 17:25:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:fvGlSu5c/lpxLROSnl3RZ1bRqbCtrZGw742IgdMJgFJ3bKLyTqIBhdkM1UQBp1jQ:OaxZ/RGiSgqsJr0cLBhdfdDX
Threatray 2'983 similar samples on MalwareBazaar
TLSH T18064A9ED3A410A72FDDEA0F07D11CB04BB674F03AA826AD623CB19CA974F1656D45C8D
File icon (PE):PE icon
dhash icon 4db292f2d88cb40b (15 x RemcosRAT, 13 x AgentTesla, 7 x NanoCore)
Reporter adrian__luca
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-EG-21-079-(g2energy).xlsx.exe
Verdict:
Malicious activity
Analysis date:
2022-01-07 14:43:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2b8bfd3-6cdc-4c88-974e-bd398fae5c16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217738/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38454864.20161.1249.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Launching a process
Running batch commands
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/61d851071c0d769df9d5c8e5/reports/4efb1d77-02cc-4fd4-80c1-85f48be115b5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bf125b2-5b3e-4539-9cc6-e8b2e09016aa
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916875
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549354 Sample: PO-EG-21-079-(g2energy).xlsx.exe Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected AsyncRAT 2->66 68 8 other signatures 2->68 7 installputil.exe 3 2->7         started        11 PO-EG-21-079-(g2energy).xlsx.exe 3 2->11         started        13 installputil.exe 2 2->13         started        process3 file4 50 C:\Users\user\...\installputil.exe.log, ASCII 7->50 dropped 70 Multi AV Scanner detection for dropped file 7->70 72 Machine Learning detection for dropped file 7->72 74 Writes to foreign memory regions 7->74 76 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->76 15 cmd.exe 1 7->15         started        17 cmd.exe 1 7->17         started        19 cmd.exe 2 7->19         started        21 RegAsm.exe 3 7->21         started        52 C:\...\PO-EG-21-079-(g2energy).xlsx.exe.log, ASCII 11->52 dropped 78 Injects a PE file into a foreign processes 11->78 23 cmd.exe 3 11->23         started        26 cmd.exe 2 11->26         started        29 RegAsm.exe 15 2 11->29         started        32 cmd.exe 1 11->32         started        signatures5 process6 dnsIp7 34 conhost.exe 15->34         started        36 schtasks.exe 1 15->36         started        38 conhost.exe 17->38         started        40 conhost.exe 19->40         started        54 C:\Users\user\AppData\...\installputil.exe, PE32 23->54 dropped 56 C:\Users\...\installputil.exe:Zone.Identifier, ASCII 23->56 dropped 42 conhost.exe 23->42         started        80 Uses schtasks.exe or at.exe to add and modify task schedules 26->80 44 conhost.exe 26->44         started        58 217.64.149.171, 9009 OBE-EUROPEObenetworkEuropeSE Sweden 29->58 60 pastebin.com 104.23.99.190, 443, 49774, 49780 CLOUDFLARENETUS United States 29->60 46 conhost.exe 32->46         started        48 schtasks.exe 1 32->48         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd67ef7107328d363f55244c2f55fd3bd678da528c77f7d71eaca939acb2f092/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2022-01-05 12:19:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvt664ihgkgtmp2vergc6vp5hplhrwssrr37pvy6vsuttlfs6cja._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1e82d1b4f8e0fb39d6767162c50ac0893184c70160b2298cd57a0724b7d1fd82
AsyncRAT
25e21f55b7fbffe0d90e6845044e3e907964a5c278f29fcd1cf0fff9916a2ac3
AsyncRAT
4d5367bf571dfd7837563c0b9d58f5557cc251ba6fafdd26dd07bb3646b3bd1b
AsyncRAT
7da096df4561ecc9169365841e2f024e40165377384e25e82922b2d1f16b8aa0
AsyncRAT
82f7fb9726e51598e5a804917f4c7ad162c4307dfd4e702d09f24b6b4dd49425
AsyncRAT
97f116891027a9cb8a2c59d5a0de5bd169ae05829b9b4e034bdb9326a54c8dd6
AsyncRAT
e19812727031bef0368880c6734ea4309368302e8fb5c6c3dea1dfa4821b26f7
AsyncRAT
ec1773386924814a953850ec438551a133c27541b156e6d685d9eda1477a65b4
AsyncRAT
fe154355036477bd31cfddcfe4f12d1d8a8baad12f088a6abf5836071509c50e
AsyncRAT
+ 2'973 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/220107-r2fd2scgcr/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
null:null
Unpacked files
SH256 hash:
cd67ef7107328d363f55244c2f55fd3bd678da528c77f7d71eaca939acb2f092
MD5 hash:
4b496edda65eac1e6579252e378bcb59
SHA1 hash:
a26b70207bf3579b37b70ac7fe88e33f4abe199e
Link:
https://www.unpac.me/results/d21b3fd3-7401-4e9a-a88f-349819605551/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd67ef7107328d363f55244c2f55fd3bd678da528c77f7d71eaca939acb2f092

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe cd67ef7107328d363f55244c2f55fd3bd678da528c77f7d71eaca939acb2f092

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/217738/

Comments