MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb
SHA3-384 hash: ca641b886c63a13f6abad4695b1dd4f0da130785dcc4af7e397ce97ccd1aba215137cc3d494c7cd7cbfe29238bc350b7
SHA1 hash: 54480aba9a090e9efb15695a55888c19b3dc183e
MD5 hash: 877446a3230a1bdc809f50ad1477c3fd
humanhash: vermont-kitten-pip-mexico
File name:877446a3230a1bdc809f50ad1477c3fd
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:394'240 bytes
First seen:2021-07-23 12:24:13 UTC
Last seen:2021-07-23 12:52:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:pe67I9SY44abSJBK6OLlRYIPiltjGgpK3fbDb0ii6q57qaJIb8sdFpHR:pe9D44JBK5/YIPijCBzD/i3qFpH
Threatray 2'363 similar samples on MalwareBazaar
TLSH T15384E0987690F68FC05FCEB296905C309770B4A75747E393AC8722ED944F79A8E0A1D3
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2eaf147e46a106eaf7a6c8e618060e2f.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 11:41:53 UTC
Tags:
loader trojan stealer raccoon rat azorult vidar
Link:
https://app.any.run/tasks/59091886-85d6-497c-a82c-deb8e6600af2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173627/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.949.30492.4257.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da91e496-8ac5-4691-83c9-e174f9644745
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820753
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 11:51:37 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0d940f08d64efc4b094727e8d8254542d6c1e87917628e1d48ea0bed86aa3247
AsyncRAT
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
AsyncRAT
367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
AsyncRAT
4a3dbd9e76bdf61687afb04313b2cd9682985f1c55c62f54d9f39442c538bae4
AsyncRAT
59d6ba5998d9ec44d081a04a07b76ed567b53fd8a7d97c07bb77da75172fe377
AsyncRAT
65c205b93cf9c6d9e9acd5336e010a43309688bfc2e28cffbb5ba8973757fd49
AsyncRAT
8013f920a224f6e3af1563d04210866aef0b22c145d827274befc3b4b17cecf8
AsyncRAT
98a835f646602f297b6f5890b9b60390301746f19046a748fc4bc75f60b1d826
AsyncRAT
c94596dbfbc9fde422a8f6b20fc6e488d9fcd33931e0e2e07430824eeff8a04a
AsyncRAT
c9f2834a9860d26cfe06748d933b338c5f511a01442ade25930d292b52f1f625
AsyncRAT
+ 2'353 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210723-gq7wyr43kj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
omomom.ac.ug:6970
omkarusdajvc.ac.ug:6970
Unpacked files
SH256 hash:
a2142a27015c6e2201db2e6f5b906da138396dc7e2e4648ba54a4d5bfcdcd6ef
MD5 hash:
3db782431cb4400aa74ded17c6c3d4c2
SHA1 hash:
a0e573e98bb70cae1b8cf74ab22dff3e4c2de7bb
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/69e1c13b-aec6-4afa-aba9-723d4186f3ec/
SH256 hash:
4dc3d22e52b3bd39d3fdd3c25f7c9c2155f5fbfe78eb81ae4d7f0709820c5d08
MD5 hash:
8bc1024513bd4b40622cd99ec086d467
SHA1 hash:
e2ad8f4506b624ac5650868da983c8514ccb16a3
Link:
https://www.unpac.me/results/69e1c13b-aec6-4afa-aba9-723d4186f3ec/
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/69e1c13b-aec6-4afa-aba9-723d4186f3ec/
SH256 hash:
d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb
MD5 hash:
877446a3230a1bdc809f50ad1477c3fd
SHA1 hash:
54480aba9a090e9efb15695a55888c19b3dc183e
Link:
https://www.unpac.me/results/69e1c13b-aec6-4afa-aba9-723d4186f3ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173627/
  
URLhaus
https://urlhaus.abuse.ch/url/948787/
  
URLhaus
https://urlhaus.abuse.ch/url/1475909/

Comments


Avatar
zbet commented on 2021-07-23 12:24:14 UTC

url : hxxp://danielmi.ac.ug/ac.exe