MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7e4f472ffb41d0c2678ceac5a5c236242d46a6c781cf8431b661a3493a05eae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7e4f472ffb41d0c2678ceac5a5c236242d46a6c781cf8431b661a3493a05eae
SHA3-384 hash: cb2d14a48f0ef6890fd3d0f7a8ba4d6985fbd6b8f277a96a0a6c2352d39dc9788854d60b6c507cf5195104630b4e872a
SHA1 hash: 719a2ff49e7f8d5ac4a7b0f7dc2256f8ed45a541
MD5 hash: 4f689ad2542e385c696d18df256e474e
humanhash: three-lithium-freddie-mockingbird
File name:4f689ad2542e385c696d18df256e474e.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:854'016 bytes
First seen:2022-01-22 21:26:14 UTC
Last seen:2022-01-22 22:46:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:qyMeiWOtORmo//B6wJfbBDOQ0Vb46n625rKkGeq02V3MyJy:qQiAJ6wJfbBDOQ6c/25rKwXOBk
Threatray 1'765 similar samples on MalwareBazaar
TLSH T15B05F10B624D027FE4D5FAB51810788453B8AC2BE115F31CDA59B0FEDDB3F247262A92
File icon (PE):PE icon
dhash icon ceccc4c6cef0f2d4 (9 x AsyncRAT, 1 x NanoCore, 1 x BitRAT)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
5.230.72.132:7707

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.230.72.132:7707 https://threatfox.abuse.ch/ioc/313766/

Intelligence

File Origin
# of uploads :
2
# of downloads :
393
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f689ad2542e385c696d18df256e474e.exe
Verdict:
Malicious activity
Analysis date:
2022-01-22 22:16:45 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/d7449e57-2fa5-4d2a-b6e6-edae783ba275

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221684/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38660527.30670.12491.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a window
Creating a file
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61ec76acf81da814af9a6c5b/reports/a2fe9d20-8317-4987-bb2b-70601b4d4d2c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/632b9e34-7f5c-48d6-b8cd-73d6b6468c9a
Result
Threat name:
AsyncRAT GhostRat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925728
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bypass UAC via CMSTP
Sigma detected: Microsoft Workflow Compiler
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected GhostRat
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558206 Sample: 22L7qcTCE5.exe Startdate: 22/01/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected UAC Bypass using CMSTP 2->55 57 15 other signatures 2->57 8 22L7qcTCE5.exe 4 6 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 process3 dnsIp4 39 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\...\22L7qcTCE5.exe.log, ASCII 8->41 dropped 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->63 65 Creates autostart registry keys with suspicious names 8->65 67 Creates an autostart registry key pointing to binary in C:\Windows 8->67 77 2 other signatures 8->77 19 powershell.exe 8->19         started        21 aspnet_regbrowsers.exe 8->21         started        24 powershell.exe 24 8->24         started        28 2 other processes 8->28 43 C:\Windows\Temp\efh0grds.inf, Windows 12->43 dropped 69 Multi AV Scanner detection for dropped file 12->69 71 Writes to foreign memory regions 12->71 73 Injects a PE file into a foreign processes 12->73 26 cmstp.exe 12->26         started        45 C:\Windows\Temp\fkrhm0c2.inf, Windows 14->45 dropped 47 192.168.2.1 unknown unknown 16->47 75 Changes security center settings (notifications, updates, antivirus, firewall) 16->75 file5 signatures6 process7 dnsIp8 30 conhost.exe 19->30         started        49 5.230.72.132, 49714, 7707 ASGHOSTNETDE Germany 21->49 32 conhost.exe 24->32         started        34 conhost.exe 28->34         started        process9 process10 36 svchost.exe 30->36         started        signatures11 59 Writes to foreign memory regions 36->59 61 Injects a PE file into a foreign processes 36->61
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e7e4f472ffb41d0c2678ceac5a5c236242d46a6c781cf8431b661a3493a05eae/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 23:46:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47spi4x7wqoqyjtyz2wfuxbdmjbni2tmpaopqqy3myndje5al2xa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
608e60e4a09dab9537b70b34a5497e8fd885449a8b3789d8f7412d29ea91387e
AsyncRAT
6a7156a5145f236ba7d54846283937e7de223a933539b3869ac72a0bf7e8bbe9
AsyncRAT
6f605c15b2480a3a0e93a9f45dd658cdfc0cd03349c8da5380976d65f1c747c5
AsyncRAT
eafbc4c031ce80d3b797f067bf78058ba1fee03ee2d335a2e7217371206b3b2f
AsyncRAT
ee448f8c746610231bae16be68c1886af5c4442d7f1d2fa9658b5d27ed309261
AsyncRAT
+ 1'755 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default evasion persistence rat trojan
Link:
https://tria.ge/reports/220122-1argnsdbh6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Windows security modification
Looks for VMWare Tools registry key
Async RAT payload
Looks for VirtualBox Guest Additions in registry
AsyncRat
Windows security bypass
Malware Config
C2 Extraction:
5.230.72.132:6606
5.230.72.132:7707
5.230.72.132:8808
Unpacked files
SH256 hash:
b22a5f35c13bcdd491fd5a885cb392df30033336fe71c50ea094b017976c9d04
MD5 hash:
4d8959fc8d6ccd9a26e20d2cd8485ae1
SHA1 hash:
b6a41435f17449a5aedc29f6ed6b1ac4d54958bb
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/44167595-67bc-4ee2-8963-3c9aac222d73/
SH256 hash:
7d7b8d476e3da433cf00d6f8577afdf073966bacd7eb9366d6760c867974c563
MD5 hash:
e7ac57c9892f0b06e04c35b9da03f8dd
SHA1 hash:
2fc0214f71afdd9890ec84d6aa1e2a3f764517f9
Link:
https://www.unpac.me/results/44167595-67bc-4ee2-8963-3c9aac222d73/
SH256 hash:
0d057d34922768270591626d217e54a1bf38fe8f737717e14968540c24b10bf0
MD5 hash:
aac1c82af8def48682274bb60fa29854
SHA1 hash:
2737bc49783d336bad962feefa5e82eddab118b0
Link:
https://www.unpac.me/results/44167595-67bc-4ee2-8963-3c9aac222d73/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/44167595-67bc-4ee2-8963-3c9aac222d73/
SH256 hash:
e7e4f472ffb41d0c2678ceac5a5c236242d46a6c781cf8431b661a3493a05eae
MD5 hash:
4f689ad2542e385c696d18df256e474e
SHA1 hash:
719a2ff49e7f8d5ac4a7b0f7dc2256f8ed45a541
Link:
https://www.unpac.me/results/44167595-67bc-4ee2-8963-3c9aac222d73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7e4f472ffb41d0c2678ceac5a5c236242d46a6c781cf8431b661a3493a05eae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:silentbuilder_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221684/

Comments