MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520
SHA3-384 hash: 34524c1cc86fbe14d1b25f33df13526f61a3c69c5bbc04fc0c08f3b50cb225082bb8220bfe9bb96e73533ea9c1da7a4d
SHA1 hash: 41c0632d2b614497e4c79ca6e6b183323231eb88
MD5 hash: 26df87c5a0870731284f7724ef36fac9
humanhash: summer-neptune-aspen-mississippi
File name:f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:322'048 bytes
First seen:2021-08-31 06:52:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 3072:rzo2a9YbGSjtYtJU7uf3a/lqYwoCQnUg7rIijn5yPs+E/Je58BmkY7WysHhyy0X0:w/2bGSZYYUqs7AeCB9Y7WPHveacJg
Threatray 1'634 similar samples on MalwareBazaar
TLSH T1AB64952C3E0D5B72FD1E91308D490B44FB270F072AA2AA9677EB19CAB74F0F56D45885
dhash icon 4db292f2d88cb40b (15 x RemcosRAT, 13 x AgentTesla, 7 x NanoCore)
Reporter JAMESWT_WT
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520
Verdict:
Malicious activity
Analysis date:
2021-08-31 07:27:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/06d2b4d7-eb84-4428-97c1-8ff8c325e7b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184039/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching a process
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07f049d5-a8df-4c35-af16-693bddea4c3c
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842312
Signature
.NET source code contains potential unpacker
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474743 Sample: kPFwk5vnfR Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected AsyncRAT 2->56 58 7 other signatures 2->58 7 adobedownloadmanager.exe 14 3 2->7         started        11 kPFwk5vnfR.exe 15 4 2->11         started        process3 dnsIp4 62 Multi AV Scanner detection for dropped file 7->62 64 Machine Learning detection for dropped file 7->64 66 Writes to foreign memory regions 7->66 68 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->68 13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        17 RegAsm.exe 3 7->17         started        44 google.com 142.250.185.142, 49709, 49719, 80 GOOGLEUS United States 11->44 46 www.google.com 142.250.186.132, 49710, 49720, 80 GOOGLEUS United States 11->46 70 Tries to delay execution (extensive OutputDebugStringW loop) 11->70 72 Injects a PE file into a foreign processes 11->72 19 cmd.exe 3 11->19         started        22 cmd.exe 1 11->22         started        25 RegAsm.exe 14 2 11->25         started        signatures5 process6 dnsIp7 28 conhost.exe 13->28         started        30 schtasks.exe 1 13->30         started        32 conhost.exe 15->32         started        40 C:\Users\user\...\adobedownloadmanager.exe, PE32 19->40 dropped 42 adobedownloadmanager.exe:Zone.Identifier, ASCII 19->42 dropped 34 conhost.exe 19->34         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 22->60 36 conhost.exe 22->36         started        38 schtasks.exe 1 22->38         started        48 185.157.160.229, 8990 OBE-EUROPEObenetworkEuropeSE Sweden 25->48 50 pastebin.com 104.23.98.190, 443, 49714 CLOUDFLARENETUS United States 25->50 file8 signatures9 process10
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 11:20:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6igsxhncic34vw3aiwsbkjrwy7fxdmjsasvk4npevet2v2vsguqa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
36d0c6d5280a29e061d07ad6eac7236e063ee8023ac398bb6d3f34a3f8aacb83
AsyncRAT
507cd77f0000cc2af40601e9121683769ea55d389a1df1c7832a103785711fb4
AsyncRAT
55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48
AsyncRAT
6f56e2921121d8013895cf883d382c22103da8cee4f057169b822b7a1615d4ed
AsyncRAT
71f5a0e02cfd97625bfaf4c5e48825b8b08262a7ac89f1b7f8ae82c1200205f8
AsyncRAT
85c02d0cd6412118420143865d77fc24fdc9fcddae292155919aad1270d327ca
AsyncRAT
8b0d6717a7d98595e7727f5309e19a1f3dae7986d1809f14f8de4edfb2810a3e
AsyncRAT
b28ddf6937378f3b331f7f19b968e4f0f785d3799aafe32758b6be2496dd6f69
AsyncRAT
cb5bc89cd1ed26277efef096f0db68a21d74e301e866e7bb14fb0c1207cd64eb
AsyncRAT
e5a6c4d10951823971b02b5a710c7aab484fb902b1e50f563a2dfccacfab4b63
AsyncRAT
+ 1'624 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210831-8yj6g5q9hs/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
null:null
Unpacked files
SH256 hash:
f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520
MD5 hash:
26df87c5a0870731284f7724ef36fac9
SHA1 hash:
41c0632d2b614497e4c79ca6e6b183323231eb88
Link:
https://www.unpac.me/results/09781522-d579-4e36-92a7-269927e33795/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f20d2b9da240/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184039/

Comments