MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf364a11ce33f41f54a6a8466aff01c80c7900fa56eaf5dfa6489416d8c59149. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	cf364a11ce33f41f54a6a8466aff01c80c7900fa56eaf5dfa6489416d8c59149
SHA3-384 hash:	23d7fce673af2484ab8400ed0e4a6a9d1d976e2c0fe09953ad69bdf804d36de92f4c1e1e2adca5eaef84be5635ccf315
SHA1 hash:	722f4172c0aedb451082e3be80ba3de7a7b7c92b
MD5 hash:	488237172ea032f435caaae15b962017
humanhash:	purple-equal-bluebird-oven
File name:	cf364a11ce33f41f54a6a8466aff01c80c7900fa56eaf5dfa6489416d8c59149
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	268'288 bytes
First seen:	2020-11-11 10:52:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5b6fd9945877b7e9d67b9e475c6d6ddf (16 x AgentTesla, 15 x AsyncRAT, 10 x Formbook)
ssdeep	6144:m0VLCVA+kUs/BCCIAZOroyoVAOm/Ge0m9Wz70oEGVkF:m0VLCVAz/BCTvDywbWzoCy
TLSH	8344BF15B4D2C433E0F601384AD4977788A9B9311B91A8BFF7940F2E5E347D29672B2B
Reporter	seifreed
Tags:	AsyncRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching a process

DNS request

Connection attempt

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf364a11ce33f41f54a6a8466aff01c80c7900fa56eaf5dfa6489416d8c59149/

Threat name:

Win32.Backdoor.Crysan

Status:

Malicious

First seen:

2020-11-11 10:53:24 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z43eueoogp2b6vfgvbdgv7ybzaghsah2k3vplx5gjckbnwgfsfeq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201111-zzt4bxb73j/

Unpacked files

SH256 hash:

cf364a11ce33f41f54a6a8466aff01c80c7900fa56eaf5dfa6489416d8c59149

MD5 hash:

488237172ea032f435caaae15b962017

SHA1 hash:

722f4172c0aedb451082e3be80ba3de7a7b7c92b

Link:

https://www.unpac.me/results/6a0469b1-77e7-478a-becc-47a508ba004d/

SH256 hash:

cadd1e0dad7442347a08dd01dff26bc3950a257c30284214a3dcaebcb6f71ead

MD5 hash:

c5f54ee7ef5a37d68653877316957b31

SHA1 hash:

433e16ccf7d71308726e1730e49adfd9cef855e8

Detections:

win_asyncrat_w0

Link:

https://www.unpac.me/results/6a0469b1-77e7-478a-becc-47a508ba004d/

Parent samples :

812a2ed477ffdac4f86746d587fd8a34ac9c1f6b65c15a38ac08079c32ecfdce
cf364a11ce33f41f54a6a8466aff01c80c7900fa56eaf5dfa6489416d8c59149
156d0c5e68f17fb5294cd708f1660337165a307c8c7064ab86971efb39738bc8
176a363ccb3166d15e413874770dfff7b8df71fb9d39102c87030edd463ae1e2
29acf849f61e3ce83524dc5f277adc62d6c7027000a986f4f8d128063142d386
6fa08611480dab2f2adf82fa81e9b40bedb5a8d82903029da4029250ff8bbf65
88af21c3af8ef0793eedb99d527a967baf487e7b239cc3f5231f951b743b51fe
91cb0ce1e1aea0e205d4ec211d136e3dc461cfa9c871fd28c66753cbe10a7666

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse Create hunting rule
Author:	ditekSHen
Description:	Detects file containing reversed ASEP Autorun registry keys

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

Rule name:	win_asyncrat_w0 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample