MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f72a7401885bd2c5ef7ac79407e2f5b803e475b4fdb598207a103c908e63179f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f72a7401885bd2c5ef7ac79407e2f5b803e475b4fdb598207a103c908e63179f
SHA3-384 hash: a594bd004bbf75bb19035ea76ed1c70b6a71334f3255a9331d7df60152f97cf9cb26d01f87b651c861810cbebacd820a
SHA1 hash: 496b49e8b6c87903288bd67b7a5c6a98fc09b1e4
MD5 hash: 8634e8de0d174e40a3f54a9c9aea45b1
humanhash: juliet-jupiter-summer-oklahoma
File name:Payment Details.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:302'080 bytes
First seen:2020-10-19 07:25:25 UTC
Last seen:2020-10-19 08:24:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:T2Bg+QFVsscoczsLV9fncjOe0TLsI6OD9L7JYPogSVGPSjK:cUVsqczs7nc5C4I6OD9HJ8ZSVGPSjK
Threatray 11 similar samples on MalwareBazaar
TLSH 6A54E097A6814366DC9D4B36A9154850233B7E6FB4F0B79D5E89F4620B3F393003A62F
Reporter abuse_ch
Tags:AsyncRAT exe GoDaddy RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: p3nlsmtpcp01-04.prod.phx3.secureserver.net
Sending IP: 184.168.200.145
From: Ahmed Mohammed <info@fgtellc.com>
Reply-To: admin@byhd.co.kr
Subject: Fw: TT COPY
Attachment: Payment Details.img (contains "Payment Details.exe")

ASyncRAT C2:
dongreg202020.duckdns.org:2703 (178.33.222.241)

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Heur.DNP.sm0@ay9tHYci.31083.32632.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Launching a process
Sending a UDP request
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495008
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files to the user root directory
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299982 Sample: Payment Details.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected AsyncRAT 2->54 56 Executable has a suspicious name (potential lure to open the executable) 2->56 58 6 other signatures 2->58 7 Payment Details.exe 1 3 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        15 8 other processes 2->15 process3 dnsIp4 40 C:\Users\user\svchost.exe, PE32 7->40 dropped 42 C:\Users\user\svchost.exe:Zone.Identifier, ASCII 7->42 dropped 64 Writes to foreign memory regions 7->64 66 Maps a DLL or memory area into another process 7->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->68 18 Payment Details.exe 7->18         started        21 vbc.exe 2 7->21         started        70 Multi AV Scanner detection for dropped file 11->70 72 Machine Learning detection for dropped file 11->72 24 vbc.exe 2 11->24         started        26 vbc.exe 13->26         started        28 vbc.exe 13->28         started        30 vbc.exe 13->30         started        50 127.0.0.1 unknown unknown 15->50 74 Changes security center settings (notifications, updates, antivirus, firewall) 15->74 32 MpCmdRun.exe 15->32         started        file5 signatures6 process7 dnsIp8 60 Writes to foreign memory regions 18->60 62 Maps a DLL or memory area into another process 18->62 34 vbc.exe 3 18->34         started        36 vbc.exe 18->36         started        44 dongreg202020.duckdns.org 178.33.222.241, 2703, 49718, 49734 OVHFR France 21->44 46 54.37.36.116, 49746 OVHFR France 21->46 48 2 other IPs or domains 21->48 38 conhost.exe 32->38         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f72a7401885bd2c5ef7ac79407e2f5b803e475b4fdb598207a103c908e63179f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 02:41:53 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=64vhiamilpjml332y6kapyxvxab6i5nu7w2zqid2ca6jbdtdc6pq._file
Verdict:
unknown
Similar samples:
16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0
AsyncRAT
404b0c9d56bc554c5cbeddfc79821b88f5781762b69c3519bcebf02fb76a6735
AsyncRAT
4a024542511c7d0a40e8317486b7177eaf71ee355f1731f17bc632731ea814b0
AsyncRAT
5a418e084b49b740a94d307baf45d67ac25db462fdeb80065fb60ffeb197273f
AsyncRAT
64e336a9ba35cd79314c0ca934116b4d002a0e7be35e905fb15ce7c5c7839519
AsyncRAT
6637c089017af9c448d8235e20db32603d8547f0611187341cf184dc66c170b4
AsyncRAT
a183a94f7c049de1770e76be272a29e0ec7b3b4344ef5c4dc2fe9ddd5962b5bd
AsyncRAT
b4b5110b2babce8946d262e6f75215f1c7a6f036eeb3eda5223b9430d5235d46
AsyncRAT
b60f7101e7fe4632ce94f03fe039e6ff31d5d4a00b304fff73f7cfd3d9023e4c
AsyncRAT
d9029ab42ac205dc948b7d7d03010db9bc5c9a1893bd72bb0970a82751e2f047
AsyncRAT
+ 1 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat persistence family:asyncrat
Link:
https://tria.ge/reports/201019-tlpxdszvrx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Uses the VBS compiler for execution
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
chongmei33.publicvm.com,185.165.153.116,54.37.36.116,185.244.30.92,dongreg202020.duckdns.org,178.33.222.241,rahim321.duckdns.org,79.134.225.92,37.120.208.36:49746,2703,49714
Unpacked files
SH256 hash:
f72a7401885bd2c5ef7ac79407e2f5b803e475b4fdb598207a103c908e63179f
MD5 hash:
8634e8de0d174e40a3f54a9c9aea45b1
SHA1 hash:
496b49e8b6c87903288bd67b7a5c6a98fc09b1e4
Link:
https://www.unpac.me/results/e79cf71b-0b0f-43a0-b27a-450a8dbac714/
SH256 hash:
2f1b05cc2b963706266b7e6aff34bad3aba40167798bf63454e7db7a6677e49c
MD5 hash:
adfe2098eb38b8340622d77fe3e24084
SHA1 hash:
538a0675c11a42915fa3dbbf3ff364d692e287da
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/e79cf71b-0b0f-43a0-b27a-450a8dbac714/
Parent samples :
f72a7401885bd2c5ef7ac79407e2f5b803e475b4fdb598207a103c908e63179f
6536526fa3203e5eb97977b6b5448f8b44053d7739147a672ebf8a249c9260ea
28b795225d2ed86c593bf06ff0171760338768d843f8f6f2cc8c5a3b801a7b70
SH256 hash:
068700c97edc3bd79e590894250f3febea04df5b82156dd811531a37d007c266
MD5 hash:
e02fabebbd57d9a6a1117eb903fcd084
SHA1 hash:
7f37bff8745cfad4d743daa47a921f233df8c9cc
Link:
https://www.unpac.me/results/e79cf71b-0b0f-43a0-b27a-450a8dbac714/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f72a7401885bd2c5ef7ac79407e2f5b803e475b4fdb598207a103c908e63179f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

img daca02bbf5d1a4e93466bf86a70c96edc425a2397d2e95c813b486ad6ce506b1

AsyncRAT

Executable exe f72a7401885bd2c5ef7ac79407e2f5b803e475b4fdb598207a103c908e63179f

(this sample)

  
Dropped by
MD5 53de96d41de0191fce3e5e24c9cc3255
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72787/
  
Dropped by
SHA256 daca02bbf5d1a4e93466bf86a70c96edc425a2397d2e95c813b486ad6ce506b1

Comments