MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9edf42affd4dae1e5c0260eb6095e8ea3f03812e2479820dc6a41183adbe827. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	d9edf42affd4dae1e5c0260eb6095e8ea3f03812e2479820dc6a41183adbe827
SHA3-384 hash:	69198042eb1ae6b09f10f0c6eeea7024e94b03dfee0de2268bf6d53f60b5fb97735d26cf96e77dca2d99cf1f60fbc8a7
SHA1 hash:	65544ebcab2462f6ffdf0a44753e80f5bd73b88b
MD5 hash:	3cfae4b2047c5b68f5671a1b474a7b01
humanhash:	wyoming-illinois-indigo-september
File name:	d9edf42affd4dae1e5c0260eb6095e8ea3f03812e2479820dc6a41183adbe827
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	303'256 bytes
First seen:	2020-07-06 07:06:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:QZ3j1nap0b5yjKx9y06DbqgRtr//DCj4TiDzCS5m4spFoQv8vqGu6mNr:StovqCBqvqGu64
Threatray	560 similar samples on MalwareBazaar
TLSH	5C549E352202FED7D75A1D70D0CE29100EE8BF936B72D19C7D8C22C951A6798CE59AF8
Reporter	JAMESWT_WT
Tags:	AsyncRAT

Code Signing Certificate

Organisation:	Microsoft Corporation
Issuer:	Microsoft Code Signing PCA
Algorithm:	sha1WithRSAEncryption
Valid from:	Jul 12 20:11:19 2018 GMT
Valid to:	Jul 26 20:11:19 2019 GMT
Serial number:	33000001B1DDEDBA54E965B85F0001000001B1
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	37A8A01D0CF930DCA58E725400AD06DD550970B92F49B0C3A15B321B4E4097DA
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Running batch commands

Creating a process with a hidden window

DNS request

Unauthorized injection to a system process

Deleting of the original file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d9edf42affd4dae1e5c0260eb6095e8ea3f03812e2479820dc6a41183adbe827/

Threat name:

ByteCode-MSIL.Trojan.Johnnie

Status:

Malicious

First seen:

2020-06-28 16:00:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3hw7ikx72tnodzoaeyhlmck6r2r7aoas4jdzqig4njarqow35atq._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/200706-lbz83dge32/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21044/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample