MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5a6c4d10951823971b02b5a710c7aab484fb902b1e50f563a2dfccacfab4b63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5a6c4d10951823971b02b5a710c7aab484fb902b1e50f563a2dfccacfab4b63
SHA3-384 hash: 61da73f94f84152e42d56e66106554ca71d1e53a761348461ad8dfb2d3fa60e64fa3224e70c5a755085fb1890023bf2e
SHA1 hash: 6929deb8daf3c1465584ef8fd0bd80240d98bdbf
MD5 hash: a734e792cd7ae1fa62808f559e125655
humanhash: quebec-burger-pluto-july
File name:RFQ Nuwater.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:93'184 bytes
First seen:2021-08-12 10:14:00 UTC
Last seen:2021-08-13 05:36:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:hJcHnMnTuSRGi4qcB68PZQDGA5K6NIgCu3jFM6xpI5Woj:hCHnMqSRGivCu3j3xpI1j
Threatray 337 similar samples on MalwareBazaar
TLSH T1BC93A25671A56F22DDBD83F109BA619407FE79BB7032E31D1CE7A0DA1174F118A80EA3
Reporter GovCERT_CH
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ Nuwater.exe
Verdict:
Malicious activity
Analysis date:
2021-08-12 10:18:59 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/f7098f73-7b0e-470d-a3fc-b60b7307a5e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178568/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.EHH.genEldorado.21761.25886.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75802a70-4712-4c53-87c6-7a75d955c03b
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831638
Signature
.NET source code contains potential unpacker
Drops PE files to the startup folder
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 464069 Sample: RFQ Nuwater.exe Startdate: 12/08/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 8 other signatures 2->63 9 RFQ Nuwater.exe 15 4 2->9         started        12 RFQ Nuwater.exe 3 2->12         started        process3 dnsIp4 51 cdn.discordapp.com 162.159.135.233, 443, 49705, 49721 CLOUDFLARENETUS United States 9->51 15 cmd.exe 3 9->15         started        19 cmd.exe 1 9->19         started        39 C:\Users\user\AppData\...\RFQ Nuwater.exe.log, ASCII 12->39 dropped 21 RFQ Nuwater.exe 1 2 12->21         started        file5 process6 dnsIp7 41 C:\Users\user\AppData\...\RFQ Nuwater.exe, PE32 15->41 dropped 43 C:\Users\...\RFQ Nuwater.exe:Zone.Identifier, ASCII 15->43 dropped 53 Suspicious powershell command line found 15->53 55 Drops PE files to the startup folder 15->55 24 conhost.exe 15->24         started        26 powershell.exe 18 19->26         started        28 wscript.exe 19->28         started        30 conhost.exe 19->30         started        32 timeout.exe 1 19->32         started        47 dedicatedlambo9.ddns.net 84.38.133.182, 10001, 49731 DATACLUB-NL Latvia 21->47 49 185.140.53.253, 10001, 49724 DAVID_CRAIGGG Sweden 21->49 file8 signatures9 process10 process11 34 RFQ Nuwater.exe 26->34         started        dnsIp12 45 cdn.discordapp.com 34->45 37 RFQ Nuwater.exe 34->37         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5a6c4d10951823971b02b5a710c7aab484fb902b1e50f563a2dfccacfab4b63/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 06:38:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4wtmjuijkgbds4nqfnnhcdd2vnee7oicwhsq6vr2fx6mvt5ljnrq._file
Verdict:
unknown
Similar samples:
5ae912c556f676264f800d3ab31aa932564b2dde8fae76f6dbeb8d568f92aee5
AsyncRAT
7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217
AsyncRAT
8e3c9001f9377d8c55aabd93e84e71e5b0eaa73bf783e880ef70476b442348b7
AsyncRAT
9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44
AsyncRAT
ac44cb33fc3c483e92ec55e10fc93a95e2eb86ddaedd666f77aff458bcf44ab2
AsyncRAT
cc43f37f9eb41430bbfb6f1515b65c5fd2bc7b7565701c71aa65731fdf46c288
AsyncRAT
e04335ac94e24921533541cae7480092fc25063caa280ebe3ed5a8697af3a844
AsyncRAT
fa36868347a2123d27edf7866bd82006c246b078c06d8138179701973caa2d15
AsyncRAT
+ 327 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat suricata
Link:
https://tria.ge/reports/210812-9dzmh37m6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
dedicatedlambo9.ddns.net:10001
185.140.53.253:10001
Unpacked files
SH256 hash:
e5a6c4d10951823971b02b5a710c7aab484fb902b1e50f563a2dfccacfab4b63
MD5 hash:
a734e792cd7ae1fa62808f559e125655
SHA1 hash:
6929deb8daf3c1465584ef8fd0bd80240d98bdbf
Link:
https://www.unpac.me/results/7f282810-ebac-4e68-bfed-6d75fc17090c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/e5a6c4d10951823971b02b5a710c7aab484fb902b1e50f563a2dfccacfab4b63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe e5a6c4d10951823971b02b5a710c7aab484fb902b1e50f563a2dfccacfab4b63

(this sample)

  
Dropped by
AsyncRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/178568/

Comments