MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f211b369e8e092fc3f8a22b540e320d4487452cdadaa9cfb272fabb921dd48e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	f211b369e8e092fc3f8a22b540e320d4487452cdadaa9cfb272fabb921dd48e3
SHA3-384 hash:	0901b293b6a877f2323b205d51d2d53dccb76c14b6595e6be2fee3f60d2e88243119241730b1136468b4431c066c6595
SHA1 hash:	0091cae62b67c0eb37e81787127ffa85892e506e
MD5 hash:	64a7e5d8bb5f5393567f5aa1ea4fa864
humanhash:	hotel-lake-seventeen-fourteen
File name:	CV CREDENTIALS.z
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	415'486 bytes
First seen:	2021-07-08 05:40:06 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:O+4cJwcWvw7ctUwFM847BydBy9kWFKfNN:O+4cOcQw7bwGl8y9kWkfz
TLSH	T1839423E7875293B5190A8F0EBD7E25BE61AE8318E343149E47BE8D70B0184D775E220F
Reporter	cocaman
Tags:	AsyncRAT z zip

cocaman

Malicious email (T1566.001)
From: "Muhammad Yaseen <qakhan@nrc.com.sa>" (likely spoofed)
Received: "from nrc.com.sa (unknown [103.155.81.50]) "
Date: "7 Jul 2021 20:15:37 -0700"
Subject: "Re: CV / Application for the post of Export Documentation and/or Operation Assistant / Pricing"
Attachment: "CV CREDENTIALS.z"

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.908-1.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/f211b369e8e092fc3f8a22b540e320d4487452cdadaa9cfb272fabb921dd48e3

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f211b369e8e092fc3f8a22b540e320d4487452cdadaa9cfb272fabb921dd48e3/

Threat name:

ByteCode-MSIL.Backdoor.Crysan

Status:

Malicious

First seen:

2021-07-08 03:57:22 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

8 of 46 (17.39%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ii3g2pi4cjpyp4kek2ubyza2rehiuwnvwvjz6zhf6v3sio5jdrq._file

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat rat

Link:

https://tria.ge/reports/210708-w1ktqpjbfs/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

185.140.53.8:6060
ambiboss.ydns.eu:6060

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/f211b369e8e092fc3f8a22b540e320d4487452cdadaa9cfb272fabb921dd48e3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip f211b369e8e092fc3f8a22b540e320d4487452cdadaa9cfb272fabb921dd48e3

(this sample)

AsyncRAT

exe 74221a6c13b7221afb2e91d46e4b561940f2d5fe3a3a9410c89a8711e983c0a2

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 74221a6c13b7221afb2e91d46e4b561940f2d5fe3a3a9410c89a8711e983c0a2

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample