MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e45c663a64882bcbb2314a2cf6bd2da6db9b1697df4a9c96c24f4dd834e7b662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e45c663a64882bcbb2314a2cf6bd2da6db9b1697df4a9c96c24f4dd834e7b662
SHA3-384 hash: d5ee1b001b7bbf1d4c758316bc50c9de398afd069344ce0393fdd4232fdcaae06ee27c7a82ca2d85ade476248945f3d4
SHA1 hash: 13060aac5afd75ae8804a2a3f32126b04bc67e4f
MD5 hash: 58393fdda014d4811373d8dc628508b8
humanhash: uranus-charlie-hot-carbon
File name:New Order Enquiry And Procurement Datasheet For Ohmex Intl Distribution_pdf (2).exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:152'576 bytes
First seen:2020-08-17 06:30:51 UTC
Last seen:2020-08-17 13:29:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:aSuIS9sOjutyqvohs3xcNSwIrRuw+mqv9j1MWLQXmsolVMSl:aSuIS9sOjutyqv4KxUJoDAOS
Threatray 295 similar samples on MalwareBazaar
TLSH 65E3A9E16740A124D8977178847BD9A77633A2FE8D68450C6D82FF0FFD22386542B9CB
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: box-smtp2.robocision.info
Sending IP: 178.175.148.197
From: Ohmex Intl Ltd <official@cyberbomber.xyz>
Subject: New Order Enquiry
Attachment: New Order Enquiry And Procurement Datasheet For Ohmex Intl Distribution_pdf 2.zip (contains "New Order Enquiry And Procurement Datasheet For Ohmex Intl Distribution_pdf (2).exe")

AsyncRAT C2:
185.165.153.43:5007

Hosted on nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU2
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-28T20:37:37Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46676/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/432618
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 268586 Sample: New Order Enquiry And Procu... Startdate: 17/08/2020 Architecture: WINDOWS Score: 100 38 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->38 40 Yara detected AntiVM_3 2->40 42 Yara detected AsyncRAT 2->42 44 7 other signatures 2->44 6 New Order Enquiry And Procurement Datasheet For Ohmex Intl Distribution_pdf (2).exe 17 4 2->6         started        11 New Order Enquiry And Procurement Datasheet For Ohmex Intl Distribution_pdf (2).exe 2 2->11         started        13 New Order Enquiry And Procurement Datasheet For Ohmex Intl Distribution_pdf (2).exe 2 2->13         started        15 New Order Enquiry And Procurement Datasheet For Ohmex Intl Distribution_pdf (2).exe 2->15         started        process3 dnsIp4 34 pastebin.com 104.23.98.190, 443, 49740, 49749 CLOUDFLARENETUS United States 6->34 26 New Order Enquiry ...ibution_pdf (2).exe, PE32 6->26 dropped 28 New Order Enquiry ...exe:Zone.Identifier, ASCII 6->28 dropped 46 Creates an undocumented autostart registry key 6->46 48 Writes to foreign memory regions 6->48 50 Allocates memory in foreign processes 6->50 17 RegSvcs.exe 2 6->17         started        36 104.23.99.190, 443, 49744, 49745 CLOUDFLARENETUS United States 11->36 52 Injects a PE file into a foreign processes 11->52 20 RegSvcs.exe 3 11->20         started        22 RegSvcs.exe 2 13->22         started        30 New Order Enquiry ...ion_pdf (2).exe.log, ASCII 15->30 dropped 54 Creates autostart registry keys with suspicious names 15->54 24 RegSvcs.exe 15->24         started        file5 signatures6 process7 dnsIp8 32 185.165.153.43, 49741, 5007 DAVID_CRAIGGG Netherlands 17->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e45c663a64882bcbb2314a2cf6bd2da6db9b1697df4a9c96c24f4dd834e7b662/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 02:39:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rogmoterav4xmrrjiwpnpjnu3nzwfux35fjzfwcj5g5qnhhwzra._file
Verdict:
suspicious
Similar samples:
02dd12ec33f4f1d1bbf4f3479ad5bc88be2a1c92f19461e6f25a754e213abc42
AsyncRAT
0dea20e41047659c9a7a7ef93599d0c918fe26e2322db8fb3e9ef333c5a48ca2
AsyncRAT
1c3d30d7637b1a6fb648b1cf1de6c7a8375337327cd243f87d525c109554db7d
AsyncRAT
1d0d8c5370adf00c6dfcebcd398685e53871c2848d6241854cf338149c2bd7c3
AsyncRAT
2bb06f09556b4531015208c97a20dd3b56d6b82b2d3f49a353dc65be55da4623
AsyncRAT
341c2ff06edc558131f9517ebabf0ce7676457cc1d33c5ab7189961d0b28b0b8
AsyncRAT
632fad824e77666d3ccb676808a2f04eb349f1f0f1495e75b37aa47e690ffe14
AsyncRAT
99292ae82aea1cc66b3fbd7e9aa4139af2af3b5ea9be01ca2da1dfadabd24008
AsyncRAT
a16602864c33b68b083a8a404c6500b44bf3247c474071cb7dd4216a39e5347e
AsyncRAT
ebb67fcc05af7a919e225a7a1f8c5bfbd65b28c22f4659527b0afb4f968ccd49
AsyncRAT
+ 285 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat persistence family:asyncrat
Link:
https://tria.ge/reports/200817-m6q7bbanta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Async RAT payload
AsyncRat
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e45c663a64882bcbb2314a2cf6bd2da6db9b1697df4a9c96c24f4dd834e7b662

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip b3f1571e4a3c0b735b22d81ee5f58d774e7fea07fcbb1b2425ee5c5514ebe04e

AsyncRAT

Executable exe e45c663a64882bcbb2314a2cf6bd2da6db9b1697df4a9c96c24f4dd834e7b662

(this sample)

  
Dropped by
MD5 0a21522f602f895aec0016aa348fe276
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46676/
  
Dropped by
SHA256 b3f1571e4a3c0b735b22d81ee5f58d774e7fea07fcbb1b2425ee5c5514ebe04e

Comments