MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf7197b0cda0b202978ad64f10b4eeb25c10774e4275558148cd47e7fd000fa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf7197b0cda0b202978ad64f10b4eeb25c10774e4275558148cd47e7fd000fa6
SHA3-384 hash: c80118704a9f14990dc797964830d2a15720487b5ebd44b16398504cee08a4ac455c7919c0e23d138a207fdfcf99c066
SHA1 hash: fdbda71bea4ff6adf967cb0b8366a514ab2951be
MD5 hash: bbbddac0de88f99ea74a7fe4ad063407
humanhash: fillet-london-music-kilo
File name:efDAWpobKv9RKuN.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'113'088 bytes
First seen:2021-03-09 15:55:15 UTC
Last seen:2021-03-09 17:45:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:AeGwiryVOoqg7+8WsS62Lu3F0WWWs/8a8emDAgAOiOoyQ1z0mieMPRM:Z1mu90p5/6eYv9kyxJM
Threatray 698 similar samples on MalwareBazaar
TLSH 1A35910122681F45E07C47385560A71887E3ACCEBF30DA89BDE9BDCB6F67E417691B06
Reporter abuse_ch
Tags:AsyncRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: business127-2.web-hosting.com
Sending IP: 162.0.209.209
From: admin@joevell.fun
Subject: Payment Notification
Attachment: proof.iso (contains "efDAWpobKv9RKuN.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
efDAWpobKv9RKuN.exe
Verdict:
Malicious activity
Analysis date:
2021-03-09 15:58:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb231dc6-bdae-47d7-a205-073065781f6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123309/
Detection(s):
SecuriteInfo.com.ArtemisBBBDDAC0DE88.6816.13044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/633137
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365539 Sample: efDAWpobKv9RKuN.exe Startdate: 09/03/2021 Architecture: WINDOWS Score: 88 54 Found malware configuration 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 Yara detected AntiVM_3 2->58 60 5 other signatures 2->60 8 efDAWpobKv9RKuN.exe 7 2->8         started        11 sync.exe 4 2->11         started        process3 file4 42 C:\Users\user\AppData\Roaming\pciVZhWV.exe, PE32 8->42 dropped 44 C:\Users\...\pciVZhWV.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp65F6.tmp, XML 8->46 dropped 48 C:\Users\user\...\efDAWpobKv9RKuN.exe.log, ASCII 8->48 dropped 14 efDAWpobKv9RKuN.exe 6 8->14         started        17 schtasks.exe 1 8->17         started        62 Machine Learning detection for dropped file 11->62 19 sync.exe 11->19         started        22 schtasks.exe 11->22         started        signatures5 process6 dnsIp7 50 C:\Users\user\AppData\Roaming\sync.exe, PE32 14->50 dropped 24 cmd.exe 1 14->24         started        26 cmd.exe 1 14->26         started        28 conhost.exe 17->28         started        52 79.134.225.83, 49724, 49727, 49728 FINK-TELECOM-SERVICESCH Switzerland 19->52 30 conhost.exe 22->30         started        file8 process9 process10 32 sync.exe 3 24->32         started        34 conhost.exe 24->34         started        36 timeout.exe 1 24->36         started        38 conhost.exe 26->38         started        40 schtasks.exe 1 26->40         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-03-09 15:56:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
104
AV detection:
21 of 47 (44.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5yzpmgnuczaff4k2zhrbnhowjoba52oij2vlakizvd6p7iab6ta._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0436d6f4b359931843bd7138af740f54ce65b9270adc23d70b6105283f4b48be
AsyncRAT
1d39f2f7f9637f6529ecd2e06b5ad41db168e32c33ccb6f00ecd1cadc70300f1
AsyncRAT
5b0ffdd98aa6a53e13e00b7723f9c8085e7b03356c5ec4e77cc88c9779011b74
AsyncRAT
a4df3907640f596ab2f05793362a19de2cd01b05b20fd142f46cc47dd61c901c
AsyncRAT
d02744b13cf330e20f47b85ed95d62ed634d9423a9b801a5cb2d694147110103
AsyncRAT
f002c41c789f3a5692c0657d671f279a05daf9814d5c95ca0ecff4d6b1193153
AsyncRAT
f0f7f9f3d293065a8554c6b9e4757bf511dd3577636ca1a075e0afd206250e5e
AsyncRAT
f3de338bdde024a21dc1e987f41930a1b8ff9799adbab67f2345e8e648e81663
AsyncRAT
f9cff9e6050b1536e55014e7eafdc8827fb237e9235ff60265c5d1afaa5d5e6e
AsyncRAT
fba5658815c50ae760c7baf3e1bd1bc7f3f78a7bf71066c4b4502b755b35826c
AsyncRAT
+ 688 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210309-czqz53ds42/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
79.134.225.83:7707
Unpacked files
SH256 hash:
f9d949d2f56c449c5d346bb93ed04d38426f563b022dd179ae330dab46682c3b
MD5 hash:
871e23d748ba756eaab5777708f250f8
SHA1 hash:
c9816d4ab38541aaab9aa3eab7cb4898d0b72e4a
Link:
https://www.unpac.me/results/d5103f75-ff06-4dd0-af50-797a0c727a00/
SH256 hash:
cf7197b0cda0b202978ad64f10b4eeb25c10774e4275558148cd47e7fd000fa6
MD5 hash:
bbbddac0de88f99ea74a7fe4ad063407
SHA1 hash:
fdbda71bea4ff6adf967cb0b8366a514ab2951be
Link:
https://www.unpac.me/results/d5103f75-ff06-4dd0-af50-797a0c727a00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/cf7197b0cda0b202978ad64f10b4eeb25c10774e4275558148cd47e7fd000fa6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

iso d5ce04b0790bfccedd0a48a568ff4475a5c14f1f94afaae20d595dda3a0947e8

AsyncRAT

Executable exe cf7197b0cda0b202978ad64f10b4eeb25c10774e4275558148cd47e7fd000fa6

(this sample)

  
Dropped by
MD5 ed1e29f6a10237d9f4966a71d75aa355
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d5ce04b0790bfccedd0a48a568ff4475a5c14f1f94afaae20d595dda3a0947e8
Cape
Cape
https://www.capesandbox.com/analysis/123309/

Comments