MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df6ee43d63f73f9a5c23fb87649ebe1cb1ded36423d2562f7b143454e3f063a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df6ee43d63f73f9a5c23fb87649ebe1cb1ded36423d2562f7b143454e3f063a2
SHA3-384 hash: a25995016d15b38499a48c8737750ec9ec8c3d76e3a112f9f7241065942ff2da5033dd43fbf92d5c46311bcb860b3f50
SHA1 hash: 1ecfcdf0fcfe4e6c70a674f83ec5a93f7c50c058
MD5 hash: f6bae28d44953239750ef459ea0517d4
humanhash: happy-hawaii-friend-texas
File name:putty city.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:880'640 bytes
First seen:2022-03-22 14:56:29 UTC
Last seen:2022-03-22 16:44:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:49ohwi+JmiZE/MEEyIslWqkuR1q5AymVfc8p7oPk:49ohWmiZE/MEEyIc9F65ANqk
Threatray 2'410 similar samples on MalwareBazaar
TLSH T12F1523803B589633CB5A1E748C17964E4B75D8665C13F7CAFC1A73A6A28E3CC474638B
Reporter JAMESWT_WT
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/254916/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1260.28571.24241.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6239e3d7dfdfa8501ccd0b63/reports/d11ea3c7-ee7e-412a-8cf1-6c34d6f1687d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961766
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 594247 Sample: putty city.exe Startdate: 22/03/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 15 other signatures 2->42 7 putty city.exe 7 2->7         started        process3 file4 26 C:\Users\user\AppData\...FDRElxokx.exe, PE32 7->26 dropped 28 C:\Users\...FDRElxokx.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmpBD87.tmp, XML 7->30 dropped 32 C:\Users\user\AppData\...\putty city.exe.log, ASCII 7->32 dropped 44 Adds a directory exclusion to Windows Defender 7->44 11 putty city.exe 7->11         started        14 powershell.exe 24 7->14         started        16 powershell.exe 25 7->16         started        18 schtasks.exe 7->18         started        signatures5 process6 dnsIp7 34 polymoly.info 149.56.43.121, 4199, 49763 OVHFR Canada 11->34 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        process8
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/df6ee43d63f73f9a5c23fb87649ebe1cb1ded36423d2562f7b143454e3f063a2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 09:49:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=35xoipld647zuxbd7odwjhv6dsy55u3eepjfml33cq2fjy7qmora._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1299373ec40fc1f3f16957338574a9ad51a94e62220cc8c08f1ad81dee443544
AsyncRAT
16fc0cec13d88da3d0a36e4c42e733db8f1e21cafc18fd813a25cd0bc835f35a
AsyncRAT
438e8f8d626ca18bb5fbd3499cad058033b199c865badba6415e362d5b8dcd49
AsyncRAT
4964c618368217328e5fb70c84e047f18e5027ae0e6ea984b1b96c38ffad77c7
AsyncRAT
58cac4ef6c2a2c25e3a50ea093f3bc90933f046f76c14235b70cf6caf1bfd9ca
AsyncRAT
6527e25f86c1902c430fc0e52769359f831365969c35fc12ef837b7b63fcc939
AsyncRAT
cf495989e776f59e020fad15bb34b5f92573f9a1b96a51cdd5a02d31d339d502
AsyncRAT
f85fb30beeceb9e2721aa12deee155bb604c0a364f926da18644af7e6e5c7a25
AsyncRAT
f8d60cc318fc750f965180766b7edb64a81d86845b27b23f8d7bb0296adea2b7
AsyncRAT
+ 2'400 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default evasion rat
Link:
https://tria.ge/reports/220322-sbmacagbg7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Looks for VMWare Tools registry key
Async RAT payload
Looks for VirtualBox Guest Additions in registry
AsyncRat
Malware Config
C2 Extraction:
polymoly.info:4199
Unpacked files
SH256 hash:
3e3979142d0afaabae6515eccf131c21471f323850e6953cee51a2ec5c7a315b
MD5 hash:
0c33bada2c606ad49735b7bd196e7018
SHA1 hash:
5a7ff6187f9ad960e302c92ce01842a3a49dec7a
Link:
https://www.unpac.me/results/0f368f6e-1212-4c57-9f79-91ff967013b5/
SH256 hash:
301642ff8826ac264d1a78b36237b5ece99cb31a2d9cecd04aafb3449679d94b
MD5 hash:
f08268ddb5c1236b947fe2864860fc98
SHA1 hash:
772410110fee00fc53939b94c2f64069fa824cf4
Link:
https://www.unpac.me/results/0f368f6e-1212-4c57-9f79-91ff967013b5/
SH256 hash:
4a2f410dd10b81260cb02b5ca3173fe1c060f954c9b02eb80374f6c27bbcbb44
MD5 hash:
d56f431631a4fae119648ef3e575abf8
SHA1 hash:
ed84c6132556b913e405776ee99912cd4e17f4aa
Link:
https://www.unpac.me/results/0f368f6e-1212-4c57-9f79-91ff967013b5/
SH256 hash:
6bd4595bba9eb7fd0072fbd15a6046639c1d5b6ec315f8396a95a0c13d4ad007
MD5 hash:
a1c782c9181f68296f9182f3c817997c
SHA1 hash:
62168dc1cf46ee198247deb3b124714fcb1a120c
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/0f368f6e-1212-4c57-9f79-91ff967013b5/
Parent samples :
8b9e7e5d218817683f481d4a20b638e64bf3c7d11d5ed1b546330f6aed2862dd
01d83cfe30b45953671a25d375bea90b5472fd36b082d7d327485e9a777a166c
df6ee43d63f73f9a5c23fb87649ebe1cb1ded36423d2562f7b143454e3f063a2
SH256 hash:
df6ee43d63f73f9a5c23fb87649ebe1cb1ded36423d2562f7b143454e3f063a2
MD5 hash:
f6bae28d44953239750ef459ea0517d4
SHA1 hash:
1ecfcdf0fcfe4e6c70a674f83ec5a93f7c50c058
Link:
https://www.unpac.me/results/0f368f6e-1212-4c57-9f79-91ff967013b5/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/df6ee43d63f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df6ee43d63f73f9a5c23fb87649ebe1cb1ded36423d2562f7b143454e3f063a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe df6ee43d63f73f9a5c23fb87649ebe1cb1ded36423d2562f7b143454e3f063a2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2110937/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/254916/

Comments