MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd14caa036246f9cd233f3e80919d8565a8325b1c66794dd6a854b064aad0424. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd14caa036246f9cd233f3e80919d8565a8325b1c66794dd6a854b064aad0424
SHA3-384 hash: 6987e19aace1ec32cd877bec9aa11a34d29fbbaa2cbe00e6e3926e500b0153b5ff2e42ba9d8dac1d5ac4a11c2fbb9bb1
SHA1 hash: 3bdabd115e629654e3af379ea43e4242293b181c
MD5 hash: a7eee9693988d5b366c69228c418b914
humanhash: fanta-indigo-orange-ink
File name:a7eee9693988d5b366c69228c418b914.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:296'960 bytes
First seen:2021-07-09 02:30:20 UTC
Last seen:2021-07-09 03:40:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:2ekfW5h5PtVWgQ+8u+28wbmfctqDKr/eMhJ4rj+XmeR:2ih5dml0q1iKjqmeR
Threatray 1'217 similar samples on MalwareBazaar
TLSH T1BA5412503F96EAABC3DE4AB3D4E361400BF5E7414279EE1EF8AD605D2E273E54198702
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
142.202.190.36:4040

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
142.202.190.36:4040 https://threatfox.abuse.ch/ioc/158656/

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a7eee9693988d5b366c69228c418b914.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-09 02:33:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75e7dfaa-eb1d-4c0f-8829-592b3d95b602

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170592/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46590204.15931.10752.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bebce7b8-aec7-4ebe-8a34-683737ebe03d
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/813832
Signature
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446243 Sample: rdP2DYgoZ3.exe Startdate: 09/07/2021 Architecture: WINDOWS Score: 96 67 Multi AV Scanner detection for dropped file 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected AsyncRAT 2->71 73 4 other signatures 2->73 9 rdP2DYgoZ3.exe 1 8 2->9         started        13 Acrobat Reader.exe 2->13         started        process3 file4 49 C:\Users\user\AppData\...\Adobe Acrobat.exe, PE32 9->49 dropped 51 C:\Users\user\AppData\...\rdP2DYgoZ3.exe, PE32 9->51 dropped 53 C:\...\Adobe Acrobat.exe:Zone.Identifier, ASCII 9->53 dropped 57 2 other malicious files 9->57 dropped 77 Creates an undocumented autostart registry key 9->77 79 Writes to foreign memory regions 9->79 81 Injects a PE file into a foreign processes 9->81 15 rdP2DYgoZ3.exe 6 9->15         started        19 AdvancedRun.exe 1 9->19         started        21 AdvancedRun.exe 1 9->21         started        55 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->55 dropped 23 AdvancedRun.exe 13->23         started        signatures5 process6 file7 59 C:\Users\user\AppData\...\Acrobat Reader.exe, PE32 15->59 dropped 63 Multi AV Scanner detection for dropped file 15->63 65 Machine Learning detection for dropped file 15->65 25 cmd.exe 1 15->25         started        28 cmd.exe 1 15->28         started        30 AdvancedRun.exe 19->30         started        33 AdvancedRun.exe 21->33         started        35 AdvancedRun.exe 23->35         started        signatures8 process9 dnsIp10 75 Uses schtasks.exe or at.exe to add and modify task schedules 25->75 37 conhost.exe 25->37         started        39 schtasks.exe 1 25->39         started        41 Acrobat Reader.exe 28->41         started        43 conhost.exe 28->43         started        45 timeout.exe 1 28->45         started        61 192.168.2.1 unknown unknown 30->61 signatures11 process12 process13 47 AdvancedRun.exe 41->47         started       
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dd14caa036246f9cd233f3e80919d8565a8325b1c66794dd6a854b064aad0424/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 17:49:08 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ukmvibwerxzzurt6puasgoykznigjnryztzjxlkqvfqmsvnaqsa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
096828f870c34c74c45535a4ee1b8154d95f71fe332397b8b4d43cb6e4377b8f
AsyncRAT
1578d1e95037312fdbb8e0f46f086316e68bad3b9c8cd9a5a9a113fc6a883b90
AsyncRAT
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
AsyncRAT
1b7afa2a07f65c2cb04454ba72f066bdc4daf640ad3b75cfac5fe82eed6c2c76
AsyncRAT
34f8bcf6b03161c345bac8ab9238cbe95865e69d25f597ca111bf22b0f887717
AsyncRAT
3749646ab64511b608918d8aacb89dfaee1bc8a0be15247ee7e804f9f7be6627
AsyncRAT
48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908
AsyncRAT
a576dd4d6b216109bf7044bc90ebd70a2205bffb43272b28f8f112b480eecea5
AsyncRAT
bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a
AsyncRAT
fd80116dffb4a52d6a31d33d06f3ff943c38f6ada8fd3d9e9ffaeb0422a010a9
AsyncRAT
+ 1'207 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/210709-cvpvzes9ds/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Async RAT payload
Nirsoft
AsyncRat
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
sbmsbm20.duckdns.org:2020
sbmsbm20.duckdns.org:3040
sbmsbm20.duckdns.org:4040
hpdndbnb.duckdns.org:2020
hpdndbnb.duckdns.org:3040
hpdndbnb.duckdns.org:4040
Unpacked files
SH256 hash:
fdb360c63af6b1d4051cb11536b04bebeae62459f00608f9b8620c1ea0d585c7
MD5 hash:
10a4f961bf387c14e358000dbbc19784
SHA1 hash:
dd6849791ff71d6972a11ea0231ed71ad14d9a73
Link:
https://www.unpac.me/results/9b23594c-dc6c-4fc8-8af0-05c9e52178d5/
SH256 hash:
32f3b3838c770f3f21853f8fc76d1a11376b7d0d41dbdd4beb820ae414b1119f
MD5 hash:
1eef9b54b105d2ca1e461d6c8e7624bc
SHA1 hash:
8d364614eb9cb3ece2d2da3aad1b651c749fb11f
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/9b23594c-dc6c-4fc8-8af0-05c9e52178d5/
SH256 hash:
29c142f10f3d2f2b8092125c0749d6a9a1d6c41b5ec6100ecbc9b741ecb74796
MD5 hash:
6992a3f3254e1f893994d6d028a0ab6e
SHA1 hash:
f6048bea7f9c6a107edd5ed8beae682066ee401b
Link:
https://www.unpac.me/results/9b23594c-dc6c-4fc8-8af0-05c9e52178d5/
SH256 hash:
72087d58483e58249c138c840ad7f8706c6bac64114603d061af3244581ba0c2
MD5 hash:
7ffbc1eca6aa419956a3b1f34531a1bb
SHA1 hash:
af025f6f1c7f5603de8a504328369f51b193b68e
Link:
https://www.unpac.me/results/9b23594c-dc6c-4fc8-8af0-05c9e52178d5/
SH256 hash:
dd14caa036246f9cd233f3e80919d8565a8325b1c66794dd6a854b064aad0424
MD5 hash:
a7eee9693988d5b366c69228c418b914
SHA1 hash:
3bdabd115e629654e3af379ea43e4242293b181c
Link:
https://www.unpac.me/results/9b23594c-dc6c-4fc8-8af0-05c9e52178d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd14caa036246f9cd233f3e80919d8565a8325b1c66794dd6a854b064aad0424

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170592/

Comments