MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9b025c3083c60b1260f6c9b6909f3c80aa7861814b4cee817b5485bb9b3e700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9b025c3083c60b1260f6c9b6909f3c80aa7861814b4cee817b5485bb9b3e700
SHA3-384 hash: d2496be45374b5d5d0f22985cb01ffa693ae99fe6e89848af65e8248f3d39f4917a32cca36eae93ddc2d5597306f30f5
SHA1 hash: 94ee1f211c7c5e14cf5835071cf16f239eefebd7
MD5 hash: 30028635a4d6eaceee5c23499f73aa3a
humanhash: harry-maryland-quebec-helium
File name:Production order List Quotation.pdf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:895'140 bytes
First seen:2021-01-15 15:52:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 24576:W2O/Glp1qi8s+xL4dWXgr9Ed7ogIisAR10uH:crtL4IgpEd0gbd
Threatray 175 similar samples on MalwareBazaar
TLSH D315CF81E58461B0DD59AB306A3ACD358237BDFCA878941C2ADD3E2B3BFB6D35025513
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: mx3.bangla.net
Sending IP: 203.188.252.14
From: Ms.Annette Sturm <br9631@bangla.net>
Reply-To: aggreko@emirates.net.ae
Subject: Fwd: Notice on the above Quotation and production order #
Attachment: Production order List Quotation.pdf.zip (contains "Production order List Quotation.pdf.exe")

AsyncRAT C2:
194.5.97.173:1993

Hosted on nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.97.0 - 194.5.97.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-UK5
country: GB
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
mnt-by: PRIVACYFIRST-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-26T17:48:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Production order List Quotation.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 16:03:34 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/2c49d363-9284-4260-8d03-7b66e884ee1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112244/
Detection(s):
SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Launching a process
Creating a file
Creating a process from a recently created file
Sending a UDP request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/582662
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340371 Sample: Production order List Quota... Startdate: 15/01/2021 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->38 40 8 other signatures 2->40 7 Production order List Quotation.pdf.exe 12 2->7         started        10 List.exe 2->10         started        13 List.exe 2 2->13         started        15 3 other processes 2->15 process3 file4 28 C:\Users\user\AppData\...\Production.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\Temp\...\List.exe, PE32 7->30 dropped 17 List.exe 3 3 7->17         started        21 Production.exe 3 7->21         started        50 Creates autostart registry keys with suspicious names 10->50 52 Creates multiple autostart registry keys 10->52 signatures5 process6 file7 26 C:\Users\user\AppData\Roaming\...\List.exe, PE32 17->26 dropped 42 Multi AV Scanner detection for dropped file 17->42 44 Creates an undocumented autostart registry key 17->44 46 Machine Learning detection for dropped file 17->46 48 Drops PE files to the startup folder 17->48 23 Production.exe 2 21->23         started        signatures8 process9 dnsIp10 32 1.remcosagent.com 23.105.131.188, 1993, 49732 LEASEWEB-USA-NYC-11US United States 23->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9b025c3083c60b1260f6c9b6909f3c80aa7861814b4cee817b5485bb9b3e700/
Threat name:
Win32.PUA.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 11:25:08 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5gyclqyihrqlcjqpnsnwscptzafkpbqycs2m52axwvefxont44aa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
17a9fa26f553c56d5b03921045d684a49177b8620eb3313dfcf13d269789c4ae
AsyncRAT
5ee970db11a1dbfeff58b1f1206045d141022d6d396d50ba571910522a2c106d
AsyncRAT
5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67
AsyncRAT
87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71
AsyncRAT
a64edb19e71549fb9248b27b58f911a4a1e8cd8b8e4adff93ecfb7e15a3cdad7
AsyncRAT
a6bf564665f281e7226d137f8da8692436c44edb6ab7881cab31282ffd6649ad
AsyncRAT
bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8
AsyncRAT
c015de0626ba91b194a47d0c8d76594e1bddadae9d9a6891b26ff7c2bc0fade3
AsyncRAT
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
AsyncRAT
f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765
AsyncRAT
+ 165 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/210115-p2lcq3s2te/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
1.remcosagent.com:1993
Unpacked files
SH256 hash:
dd1b2063b215c42709566395c7265ac87a8264178a2f3fb44a46c66f067b912f
MD5 hash:
d1f3d58c7251cd1cbf9f1b843caf45af
SHA1 hash:
db56b6c3d4e291747fa21f51cde9239c40892aaf
Link:
https://www.unpac.me/results/0cd5a292-ae9c-419a-b19f-7518d244c447/
SH256 hash:
d815a3e97acf337ce4ee9a6599f536a92145e52c0556a671747b4285949a0e43
MD5 hash:
d8e3b363381d1c6d6e0f087e33341383
SHA1 hash:
f36b2e7402cecf051141029247ac2ac157d69d4c
Link:
https://www.unpac.me/results/0cd5a292-ae9c-419a-b19f-7518d244c447/
SH256 hash:
abb2f435456f12e199c9e286194a7d4c1574da21666a0960cfa7f9b5f3ffee19
MD5 hash:
4f76cb97e53d1dea89bb463616698c3f
SHA1 hash:
bcdc10419170e349ee4ce43d0836543cb73ac678
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/0cd5a292-ae9c-419a-b19f-7518d244c447/
Parent samples :
8f74c5871c33b4bf63b43f3e7e216dae1cc92e79cd0035422c8eb6768b98dc06
e9b025c3083c60b1260f6c9b6909f3c80aa7861814b4cee817b5485bb9b3e700
156f91714e02cac9a799c6a9b0a3b18b92bfb29c4fc617808d550b1a9cf0a96e
SH256 hash:
366da8a6cbd04282ab6ef9c2ffc25d4aee0e52461da78ecc17ecba2db39ed834
MD5 hash:
460571c0e5a72a62cd42adc66616f197
SHA1 hash:
88f9305bd2a88cac12574fa86922a1b9c63dd32c
Link:
https://www.unpac.me/results/0cd5a292-ae9c-419a-b19f-7518d244c447/
SH256 hash:
e9b025c3083c60b1260f6c9b6909f3c80aa7861814b4cee817b5485bb9b3e700
MD5 hash:
30028635a4d6eaceee5c23499f73aa3a
SHA1 hash:
94ee1f211c7c5e14cf5835071cf16f239eefebd7
Link:
https://www.unpac.me/results/0cd5a292-ae9c-419a-b19f-7518d244c447/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9b025c3083c60b1260f6c9b6909f3c80aa7861814b4cee817b5485bb9b3e700

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip 3a536b678f82bb1a8d83c59375d97c2e167facf2112af1ae6142dc08ced7bc48

AsyncRAT

Executable exe e9b025c3083c60b1260f6c9b6909f3c80aa7861814b4cee817b5485bb9b3e700

(this sample)

  
Dropped by
MD5 4db1e2ebd7bdfe4eeb60ad8b031ded03
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112244/
  
Dropped by
SHA256 3a536b678f82bb1a8d83c59375d97c2e167facf2112af1ae6142dc08ced7bc48

Comments