MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1bb3096cd920d4c3ca880bb368cf0a0aa4b74b4afc8defd01fb472952f40a15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1bb3096cd920d4c3ca880bb368cf0a0aa4b74b4afc8defd01fb472952f40a15
SHA3-384 hash: f10a36fcad11ad425fdf7a3b04a956278398ab2db7e31e9aff6a6b3b9a60410a44f919a6cd38aafce41efad22a7c360b
SHA1 hash: 44bc91e06321dc60f8b072c62161eb6abb788bfb
MD5 hash: 9c917054ae23ff2061a43ea013bddc29
humanhash: spring-finch-ink-crazy
File name:SOA- 14-02-2022.PDF.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:753'664 bytes
First seen:2022-02-14 11:31:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:cpg7TigS2FhPoYXhL4x9K7tU7kcchdYoPfEqVrE7zEDAmz6rBSNsC/0DyqKqQeN4:0gnSrqLy9K7tNVLYqfEII7ziAmz6NSNr
Threatray 657 similar samples on MalwareBazaar
TLSH T114F4F10177A7AB23C5BB0F7BD8A5424166B0E54E5117D73F68E132EC0C8B3685E7227A
File icon (PE):PE icon
dhash icon f8a4b2b4b4b4b2c0 (20 x AgentTesla, 8 x Loki, 6 x Formbook)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
91.193.75.132:9191

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.193.75.132:9191 https://threatfox.abuse.ch/ioc/387448/

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241355/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Running batch commands
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling autorun by creating a file
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3c684d9-313f-4bf4-9bfb-d8b19938c8e5
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939290
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 571768 Sample: SOA- 14-02-2022.PDF.exe Startdate: 14/02/2022 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 11 other signatures 2->79 10 SOA- 14-02-2022.PDF.exe 7 2->10         started        14 images.exe 2->14         started        process3 file4 67 C:\Users\user\AppData\Roaming\uAbBwCroO.exe, PE32 10->67 dropped 69 C:\Users\user\AppData\Local\...\tmpB5CF.tmp, XML 10->69 dropped 85 Adds a directory exclusion to Windows Defender 10->85 16 SOA- 14-02-2022.PDF.exe 6 10->16         started        19 powershell.exe 21 10->19         started        21 schtasks.exe 1 10->21         started        87 Multi AV Scanner detection for dropped file 14->87 89 Injects a PE file into a foreign processes 14->89 23 powershell.exe 14->23         started        25 schtasks.exe 14->25         started        27 images.exe 14->27         started        signatures5 process6 file7 65 C:\Users\user\AppData\Roaming\images.exe, PE32 16->65 dropped 29 cmd.exe 1 16->29         started        31 cmd.exe 1 16->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        process8 process9 41 images.exe 29->41         started        44 conhost.exe 29->44         started        46 timeout.exe 29->46         started        48 conhost.exe 31->48         started        50 schtasks.exe 31->50         started        signatures10 81 Adds a directory exclusion to Windows Defender 41->81 83 Injects a PE file into a foreign processes 41->83 52 images.exe 41->52         started        55 powershell.exe 41->55         started        57 schtasks.exe 41->57         started        59 images.exe 41->59         started        process11 dnsIp12 71 91.193.75.132, 49784, 9191 DAVID_CRAIGGG Serbia 52->71 61 conhost.exe 55->61         started        63 conhost.exe 57->63         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1bb3096cd920d4c3ca880bb368cf0a0aa4b74b4afc8defd01fb472952f40a15/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 11:32:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2g5tbfwnsiguypfiqc5tndhqucvew5fuv7en57ib7ndssuxubikq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
01b7ecba4c040bd3c352b2023e1f7f38c2b2ef741f23a91301153f03760d3505
AsyncRAT
03735ed519d86a5d8456393b63d97be01c426c4b441c49efd2fd010c5faf78ce
AsyncRAT
70b02ad515a1e01de0be858d8d61932ce951b6b49a9bd39a7a5121be65ef0f4f
AsyncRAT
7a8f5dbcd00d364145d28a29b058adc75da8041fe35d852ad9cf9ae439b51cfa
AsyncRAT
9bceb9680d39094087add5289a7e19aa93168faf9c5f2465700b117d59e8d841
AsyncRAT
acf07e3a8e5eab40aaa587590fe81ec7a98b0eb238d5640a857495500a9df71a
AsyncRAT
bc297a5178f17d2b1f7c69649155df74086c99486c2caa5a1117fd45f52f41fa
AsyncRAT
d1fea52507fc97ff419f8dd2ea8ecf689fb7c066cf8f18453378e95bf399c3d6
AsyncRAT
d3217fc16fe7991314f5f0fada36ed506921272105b0e230a0a37c1c1ae3f83d
AsyncRAT
da599a875bc329ff6666771a7b7df56e40a4727fd7e6261828aa8cd545a7a587
AsyncRAT
+ 647 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/220214-nnad4ahbd9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Unpacked files
SH256 hash:
c084cd69a6dba6a8d58ae58d3d744abdb3781fd83bf2d53be4ae0da7103190d8
MD5 hash:
3de7b1b444adc1dcdbc9db7fbe91d611
SHA1 hash:
cffd041d160e71f5a22425fca4af597763d9b791
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/7d92fe59-7b43-4e2c-8d50-281e0a995bf7/
Parent samples :
f65b4e4e128658c16a312b6b69a607661e09666ee2da27e74ed2023f563fbd23
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e
d1bb3096cd920d4c3ca880bb368cf0a0aa4b74b4afc8defd01fb472952f40a15
SH256 hash:
a7e33405fda153b02eada970c80b8747c86a62e120b3d2b91d6fb5fd61f99b1a
MD5 hash:
e6008fc11af5247245fc3bab1716373f
SHA1 hash:
b18e4e7dafaa9f7ba4d773d8d297fcfea91fdd4d
Link:
https://www.unpac.me/results/7d92fe59-7b43-4e2c-8d50-281e0a995bf7/
SH256 hash:
515d495e9af86257a42ac9ccf1ae82dc7c10fd20c3fcc8e937f10165f8c77a32
MD5 hash:
227fa29333021c1d8dae15b25e668bf8
SHA1 hash:
60ccc00a114596069b6056d18bbfa852c776f4c2
Link:
https://www.unpac.me/results/7d92fe59-7b43-4e2c-8d50-281e0a995bf7/
SH256 hash:
3ca74eb4ce4c2c5604dc298949ae47996d93063abfde0682d689205561d17d44
MD5 hash:
4e35b541f3d9162d0ac93d336df67779
SHA1 hash:
bb9e65761186806d4bada659e9d5db0c070501d4
Link:
https://www.unpac.me/results/7d92fe59-7b43-4e2c-8d50-281e0a995bf7/
SH256 hash:
d1bb3096cd920d4c3ca880bb368cf0a0aa4b74b4afc8defd01fb472952f40a15
MD5 hash:
9c917054ae23ff2061a43ea013bddc29
SHA1 hash:
44bc91e06321dc60f8b072c62161eb6abb788bfb
Link:
https://www.unpac.me/results/7d92fe59-7b43-4e2c-8d50-281e0a995bf7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1bb3096cd920d4c3ca880bb368cf0a0aa4b74b4afc8defd01fb472952f40a15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241355/

Comments