MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de414479c5733e9e4ef7d9876b54037f05fb659837ae4efd62791013c75f2b78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de414479c5733e9e4ef7d9876b54037f05fb659837ae4efd62791013c75f2b78
SHA3-384 hash: 8e8d72e967340d2e484d00bca2e48aa39e29c6e4ffdf1aec5bc6be475861aadf80fc8c46bfc283db0c637895c2e110ef
SHA1 hash: cf53411aa0bfab7139cf72eb114b6ddb04466209
MD5 hash: d29e1f7882576618e79c9839d20084eb
humanhash: purple-one-cold-stairway
File name:PgaUefZU.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:48'128 bytes
First seen:2020-10-08 22:02:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:qx29Ms/FT1qc9H94kNvOr3ptIfLJB4lCMyjbdge3iQ+L2aOSjlOgSGuCVDUClZpA:qx29Ms9R9ir5GjJB4ZebKeSUS5qMrpKX
Threatray 338 similar samples on MalwareBazaar
TLSH 5A232A003BE9813AF27E5B786CF26145867BA2632603D54D3CCC11DB5B13BC69752AFA
Reporter pmelson
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486125
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295505 Sample: PgaUefZU.exe Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected AsyncRAT 2->35 37 3 other signatures 2->37 7 PgaUefZU.exe 7 2->7         started        11 hdsos.exe 2->11         started        process3 file4 27 C:\Users\user\AppData\Roaming\hdsos.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\...\PgaUefZU.exe.log, ASCII 7->29 dropped 39 Protects its processes via BreakOnTermination flag 7->39 41 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->41 13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        43 Antivirus detection for dropped file 11->43 45 Multi AV Scanner detection for dropped file 11->45 47 Machine Learning detection for dropped file 11->47 signatures5 process6 process7 17 hdsos.exe 13->17         started        19 conhost.exe 13->19         started        21 timeout.exe 1 13->21         started        23 conhost.exe 15->23         started        25 schtasks.exe 1 15->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de414479c5733e9e4ef7d9876b54037f05fb659837ae4efd62791013c75f2b78/
Threat name:
ByteCode-MSIL.Backdoor.Crysen
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 22:04:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3zaui6ofom7j4txx3gdwwvadp4c7wzmyg6xe57lcpeibhr27fn4a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
02dd12ec33f4f1d1bbf4f3479ad5bc88be2a1c92f19461e6f25a754e213abc42
AsyncRAT
0dea20e41047659c9a7a7ef93599d0c918fe26e2322db8fb3e9ef333c5a48ca2
AsyncRAT
1c3d30d7637b1a6fb648b1cf1de6c7a8375337327cd243f87d525c109554db7d
AsyncRAT
1d0d8c5370adf00c6dfcebcd398685e53871c2848d6241854cf338149c2bd7c3
AsyncRAT
341c2ff06edc558131f9517ebabf0ce7676457cc1d33c5ab7189961d0b28b0b8
AsyncRAT
632fad824e77666d3ccb676808a2f04eb349f1f0f1495e75b37aa47e690ffe14
AsyncRAT
99292ae82aea1cc66b3fbd7e9aa4139af2af3b5ea9be01ca2da1dfadabd24008
AsyncRAT
a16602864c33b68b083a8a404c6500b44bf3247c474071cb7dd4216a39e5347e
AsyncRAT
e45c663a64882bcbb2314a2cf6bd2da6db9b1697df4a9c96c24f4dd834e7b662
AsyncRAT
ebb67fcc05af7a919e225a7a1f8c5bfbd65b28c22f4659527b0afb4f968ccd49
AsyncRAT
+ 328 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat family:asyncrat
Link:
https://tria.ge/reports/201008-dg2ep23rze/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Unpacked files
SH256 hash:
de414479c5733e9e4ef7d9876b54037f05fb659837ae4efd62791013c75f2b78
MD5 hash:
d29e1f7882576618e79c9839d20084eb
SHA1 hash:
cf53411aa0bfab7139cf72eb114b6ddb04466209
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/45b0fcd9-4e8e-4b56-a4c7-c4fc265c42d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/de414479c5733e9e4ef7d9876b54037f05fb659837ae4efd62791013c75f2b78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe de414479c5733e9e4ef7d9876b54037f05fb659837ae4efd62791013c75f2b78

(this sample)

  
Link
https://www.virustotal.com/gui/file/de414479c5733e9e4ef7d9876b54037f05fb659837ae4efd62791013c75f2b78/detection
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/69367/

Comments