MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e334c709a414d7ab88c0ce1d12bdf200a8053193da5c9cb757c79ac9d5f4d3b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e334c709a414d7ab88c0ce1d12bdf200a8053193da5c9cb757c79ac9d5f4d3b8
SHA3-384 hash: 43f89c0575bb7ae656d7fe541736d0f7ce5ec337e9b7fad541c440dd051bc14119ee9a23a96d228ca8dbf581b713bf33
SHA1 hash: b4d0c0d880aaa2b922eac624e2ecac46fcf9ecae
MD5 hash: f30eadfcccc73d4c882a3c4dcf2c6dc1
humanhash: stream-single-ohio-michigan
File name:new po #456789.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:297'472 bytes
First seen:2020-10-13 07:52:16 UTC
Last seen:2020-10-13 14:46:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 6144:/fP65HsW7kFuG97mwIxeKg0xb5+aYVfpPMgZW2+P5:/OHVywgE5+aC6gF
Threatray 278 similar samples on MalwareBazaar
TLSH F954E0F2364D095AF2B68672808BB083F53C19DB1F1D890DAEDAC31D9DF26160BD558B
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: wiko.com.hk
Sending IP: 62.113.215.195
From: REGLUS<sales88@wiko.com.hk>
Subject: NEW PO
Attachment: new po 456789.zip (contains "new po #456789.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70323/
Detection(s):
SecuriteInfo.com.ArtemisF30EADFCCCC7.16221.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489354
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e334c709a414d7ab88c0ce1d12bdf200a8053193da5c9cb757c79ac9d5f4d3b8/
Threat name:
ByteCode-MSIL.Trojan.Crysan
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 06:49:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4m2mocnectl2xcgazyorfppsacuakmmt3jojzn2xy6nmtvpu2o4a._file
Verdict:
unknown
Similar samples:
0dd99552079fdf0b8f5e449b39aa5f454ea4e075931ac298f7aa4080831aa9e7
AsyncRAT
4b652aeecc3af929f45e0bf93e3d87b989e58cca29557f8bbdcc33cbd42a521a
AsyncRAT
6841a00603c067163259e142990659c0217ded69e2895d187fa65f9439034c7f
AsyncRAT
80f341333728513fea45dc07c8582e5a8c3ac630de39b53ef23d1742ddc0f5d2
AsyncRAT
82ec33dd4f26eab172d8a0fc536751d12153a3f7175351da311a7059217c670e
AsyncRAT
9abdd554c7f65285834b12f1511bef9501c300fd81559a9052fb5d6c0004163b
AsyncRAT
a058f0c8ef292ed93c5aa59d78764335ded47bba1a1bfd2d19d8c5fc809a6171
AsyncRAT
c62ef08103c30d5d2d18fbc2eff820985af40aa377828ef72c3ecad495103511
AsyncRAT
ef715113b5c0354cb654191c48dcabf6f00f7db2644c4a1ba344feefe12eee86
AsyncRAT
f37a3d07e33750a031b832d3486485b74bc23c84bf64249cb1bd8ce495802621
AsyncRAT
+ 268 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:asyncrat
Link:
https://tria.ge/reports/201013-jv53pg3bdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AsyncRat
Unpacked files
SH256 hash:
e334c709a414d7ab88c0ce1d12bdf200a8053193da5c9cb757c79ac9d5f4d3b8
MD5 hash:
f30eadfcccc73d4c882a3c4dcf2c6dc1
SHA1 hash:
b4d0c0d880aaa2b922eac624e2ecac46fcf9ecae
Link:
https://www.unpac.me/results/e40a605e-ddb6-40a7-8347-d801fa660203/
SH256 hash:
55b43dc2aba507be3564c2d7212de991153eb1558536d13d43437a516d499a0d
MD5 hash:
280a910dcc202c0f4b8a82dfba70d59c
SHA1 hash:
281e5ef6da193b47c7924fbb085f5649bfe80675
Link:
https://www.unpac.me/results/e40a605e-ddb6-40a7-8347-d801fa660203/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/e40a605e-ddb6-40a7-8347-d801fa660203/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
e3f3f21f1da73f127615d0ce7f20b1159facd9b5015ef223de73dddbcdf1f59a
MD5 hash:
7a4f8f06291d4cff66c36c4963e2d0e6
SHA1 hash:
dfe8b19e175fb63bd891664e11e9f7fa646f4bf1
Link:
https://www.unpac.me/results/e40a605e-ddb6-40a7-8347-d801fa660203/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e334c709a414d7ab88c0ce1d12bdf200a8053193da5c9cb757c79ac9d5f4d3b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip 57d2671a05db0bd532973c40260fe505ad1b2b50d1cf2f8c397acb072917dffc

AsyncRAT

Executable exe e334c709a414d7ab88c0ce1d12bdf200a8053193da5c9cb757c79ac9d5f4d3b8

(this sample)

  
Dropped by
MD5 07db93945f23d312c4f426494c5c8a1d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70323/
  
Dropped by
SHA256 57d2671a05db0bd532973c40260fe505ad1b2b50d1cf2f8c397acb072917dffc

Comments