MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec2bedbc2ac399f977ac113d90d509c4023c345ce75e77184a3727150a6969e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	ec2bedbc2ac399f977ac113d90d509c4023c345ce75e77184a3727150a6969e0
SHA3-384 hash:	327e71351b6a6ffd790fe3f675ae1af5a2184945ffe35d0932484f6959b1529d05c397e0bba2f7d96f309c9188a56bc0
SHA1 hash:	4cecc8dc06c90915b68ae376e53e9092cdc2316b
MD5 hash:	58d8d9cacade7c05b3858dbd716d867f
humanhash:	carbon-magazine-magnesium-orange
File name:	Check_Payment.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	41'736 bytes
First seen:	2021-04-07 14:17:48 UTC
Last seen:	2021-04-07 14:57:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	768:AUTVAfGUeB+zHsNMdq9zfPQUaeAmNRJLpzh7yi38T61NYciO41ukQZaV2H75sLZm:EeB+zSzgUalyfp/
Threatray	4 similar samples on MalwareBazaar
TLSH	B0132B1030430272C758273609FB0E1AAB73B3C2C9A18B1FEEB76B45DA6A3B55D5C65D
Reporter	info_sec_ca
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Check_Payment.exe

Verdict:

Malicious activity

Analysis date:

2021-04-07 14:21:21 UTC

Tags:

trojan rat asyncrat

Link:

https://app.any.run/tasks/a5a83995-a317-4f94-90b7-7e435c6dfd54

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/132866/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.DNB.genEldorado.13821.10510.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Creating a file

Launching a process

Creating a process with a hidden window

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Setting a single autorun event

Adding exclusions to Windows Defender

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

HawkEye

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f836ce1b-8db5-429d-ac0d-dd0fd358939f

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

0 / 100

Link:

https://www.joesandbox.com/analysis/668776

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec2bedbc2ac399f977ac113d90d509c4023c345ce75e77184a3727150a6969e0/

Threat name:

ByteCode-MSIL.Backdoor.Crysan

Status:

Malicious

First seen:

2021-04-07 14:18:07 UTC

AV detection:

10 of 29 (34.48%)

Threat level:

5/5

Verdict:

unknown

AsyncRAT

93c5bfb2b4a47759762d3ae4b1d80c2de8a4d41860d18c55cafa7607a8e7f1c4

AsyncRAT

9936263d7a358e5113b0ba284d8c321c2bfd9510cf4213c7ad5b5fd6b54db9ed

AsyncRAT

a0d988206c1aec4ae4582c27d02ac896e9b0904ea4264b8d766337741514b5c9

AsyncRAT

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat evasion persistence rat trojan

Link:

https://tria.ge/reports/210407-dzgtxyld4n/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Windows security modification

Async RAT payload

AsyncRat

Windows security bypass

Malware Config

C2 Extraction:

173.243.112.143:6606
173.243.112.143:7707
173.243.112.143:8808
prontovibes.ddns.net:6606
prontovibes.ddns.net:7707
prontovibes.ddns.net:8808

Unpacked files

SH256 hash:

ec2bedbc2ac399f977ac113d90d509c4023c345ce75e77184a3727150a6969e0

MD5 hash:

58d8d9cacade7c05b3858dbd716d867f

SHA1 hash:

4cecc8dc06c90915b68ae376e53e9092cdc2316b

Link:

https://www.unpac.me/results/759b4661-2a7d-45f8-8989-519b3916a587/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/ec2bedbc2ac399f977ac113d90d509c4023c345ce75e77184a3727150a6969e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/132866/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample