MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7b8a43156a4ed375acd101847b41f358fd4ea3ce4d2cf9ffcf18f278f7a4479. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7b8a43156a4ed375acd101847b41f358fd4ea3ce4d2cf9ffcf18f278f7a4479
SHA3-384 hash: 95a94e3a15e71634292ca3a592bf9d20c2917de89db59955b21674bd32eded666011b2dc572d68024a9bd18d9fe795cd
SHA1 hash: 22ef3f3824675051ad172e4596db333106ae6a33
MD5 hash: fbd44c495602efcd29d343bf41e94c70
humanhash: west-fish-venus-july
File name:SecuriteInfo.com.Trojan.KillProc2.14740.25300.23514
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:395'144 bytes
First seen:2020-11-26 23:49:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:QGHAIC3RGBpq4dfbe5ih+QUcnrEdJh90Gpsm4sy37JX46w9mtOiuBFND0:JAIC3ABa5iYcrgnxLy379iSQ6
Threatray 50 similar samples on MalwareBazaar
TLSH DC84129697451D26EEAD0F7A90EBA1408739F4AFE6ABE75F104804311D233D7C9A2CC7
Reporter SecuriteInfoCom
Tags:AsyncRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105763/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/548655
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7b8a43156a4ed375acd101847b41f358fd4ea3ce4d2cf9ffcf18f278f7a4479/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-22 15:55:50 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
151c9749ebcb80a9044840b499d3ec969f2cd5679b59253c23883c70af486475
AsyncRAT
394460b6c0b33b4e5d45308e968e765627fb9f34d4ad8c51b8922543d6bf2490
AsyncRAT
5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2
AsyncRAT
6fb60c80bdc9cd558a384b468dc8b8467fb2e02764728e6a0ebc28ca865f31f6
AsyncRAT
78491e950a624399f497cedd25cae2231223b1bcd2f93379480b3c9edb4c6a92
AsyncRAT
a8883460eb4eda4b981767c15ae6fadf5dd2c5ff7d8d8325b417bbdf71dece1a
AsyncRAT
bc36fa2314f4e45645af22ca75887b7b627de4a65bfd1d274f18e7fc1975c8e4
AsyncRAT
bdcd13abdded8f4f709fb288fb78b4afff486854b3ea78ad378d11220a31c3c4
AsyncRAT
d0f1b190868c2b25c602e6eee551a39fe677678d6e7dc45eb304fa82a5760799
AsyncRAT
ecf592d2aed1d17b4c75e72a40edeb9b4396c8c9181cee7519ebe63bb7391870
AsyncRAT
+ 40 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/201126-32qm37wcqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Uses the VBS compiler for execution
AsyncRat
Malware Config
C2 Extraction:
:
Unpacked files
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/4afe468d-7163-41b8-943b-e4a6bc976c28/
SH256 hash:
f66fd7ab775aa4fd78ac74e0eaef2451f52050d503d9413e530a4afaf2287ef6
MD5 hash:
1a1a2b4d6db4291fec998a6a1061e90f
SHA1 hash:
acc0713a11301453e5bff2b5de4f51c3c23173bb
Link:
https://www.unpac.me/results/4afe468d-7163-41b8-943b-e4a6bc976c28/
SH256 hash:
e2fad36adb1cf1340833003cc38373a23daf5ef9a7d20f0e5465148be5ec0855
MD5 hash:
1a4e015969d3e7448c0ebe8f0f6919da
SHA1 hash:
59ab1e82649c2c1fa234065ccbc0cde521cd2f1a
Link:
https://www.unpac.me/results/4afe468d-7163-41b8-943b-e4a6bc976c28/
SH256 hash:
3d039d7d7f73c52e0412192b3ff7ac85402a3ce74d3ca02b8ec35383fa28d53a
MD5 hash:
3041df2903d0f385641ff7d35d1ff583
SHA1 hash:
56ae5e791ed170f19a30495a6b7a6c5c27fe99eb
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/4afe468d-7163-41b8-943b-e4a6bc976c28/
SH256 hash:
f7b8a43156a4ed375acd101847b41f358fd4ea3ce4d2cf9ffcf18f278f7a4479
MD5 hash:
fbd44c495602efcd29d343bf41e94c70
SHA1 hash:
22ef3f3824675051ad172e4596db333106ae6a33
Link:
https://www.unpac.me/results/4afe468d-7163-41b8-943b-e4a6bc976c28/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7b8a43156a4ed375acd101847b41f358fd4ea3ce4d2cf9ffcf18f278f7a4479

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Saudi_Phish_Trojan
Create hunting rule
Author:Florian Roth
Description:Detects a trojan used in Saudi Aramco Phishing
Reference:https://goo.gl/Z3JUAA

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe f7b8a43156a4ed375acd101847b41f358fd4ea3ce4d2cf9ffcf18f278f7a4479

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/858096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105763/

Comments