MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa36868347a2123d27edf7866bd82006c246b078c06d8138179701973caa2d15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa36868347a2123d27edf7866bd82006c246b078c06d8138179701973caa2d15
SHA3-384 hash: 472a06d5eb95b97a77dc92b8ba8cfdab3a442100b5a519d1fc9f328c15e839e4227d0af0f05aa85baba9c98318d14298
SHA1 hash: 55a4b8647aa88c58d50b9ca5fdb78ec5ddb27a72
MD5 hash: 4c0005443d6f0efe50a165339ffa60c0
humanhash: alaska-cup-hamper-red
File name:#RFQ ORDER4844755758484.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:65'536 bytes
First seen:2021-08-06 04:11:22 UTC
Last seen:2021-08-09 08:07:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:CU2oB06+Kbri5eKWNhwdNZIFDAE91HRdu6lNK6dtK9UMXYESfbKUU5lU1eaK5Cxx:CU2oB06+Kbri5eKWNhwdNZIFDAE91HR5
Threatray 323 similar samples on MalwareBazaar
TLSH T130536106B2BC1F5BE4BE9BF8AAA5A90487F5762D2431E7084DD670CF2465F804560F3B
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
185.29.11.39:1515

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.29.11.39:1515 https://threatfox.abuse.ch/ioc/165862/

Intelligence

File Origin
# of uploads :
3
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
#RFQ ORDER4844755758484.exe
Verdict:
Malicious activity
Analysis date:
2021-08-06 04:12:33 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/788581cb-1d9c-4a9e-ad80-46ff4c2f809d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176857/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.EHH.genEldorado.11099.96.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f379354a-56e8-44b2-80af-bb8264325410
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/828024
Signature
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460455 Sample: #RFQ ORDER4844755758484.exe Startdate: 06/08/2021 Architecture: WINDOWS Score: 96 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Yara detected AntiVM3 2->64 66 Yara detected AsyncRAT 2->66 68 5 other signatures 2->68 9 #RFQ ORDER4844755758484.exe 15 4 2->9         started        12 #RFQ ORDER4844755758484.exe 3 2->12         started        process3 dnsIp4 54 cdn.discordapp.com 162.159.134.233, 443, 49739, 49750 CLOUDFLARENETUS United States 9->54 56 192.168.2.1 unknown unknown 9->56 15 cmd.exe 3 9->15         started        19 cmd.exe 1 9->19         started        72 Injects a PE file into a foreign processes 12->72 21 #RFQ ORDER4844755758484.exe 1 2 12->21         started        24 #RFQ ORDER4844755758484.exe 12->24         started        signatures5 process6 dnsIp7 44 C:\Users\user\...\#RFQ ORDER4844755758484.exe, PE32 15->44 dropped 46 #RFQ ORDER48447557...exe:Zone.Identifier, ASCII 15->46 dropped 58 Suspicious powershell command line found 15->58 60 Drops PE files to the startup folder 15->60 26 conhost.exe 15->26         started        28 powershell.exe 18 19->28         started        30 wscript.exe 19->30         started        32 conhost.exe 19->32         started        34 timeout.exe 1 19->34         started        52 grant123four5.ddns.net 185.29.11.39, 1515, 49767 DATACLUB-NL European Union 21->52 file8 signatures9 process10 process11 36 #RFQ ORDER4844755758484.exe 28->36         started        dnsIp12 48 162.159.129.233, 443, 49765 CLOUDFLARENETUS United States 36->48 50 cdn.discordapp.com 36->50 70 Injects a PE file into a foreign processes 36->70 40 #RFQ ORDER4844755758484.exe 36->40         started        42 #RFQ ORDER4844755758484.exe 36->42         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa36868347a2123d27edf7866bd82006c246b078c06d8138179701973caa2d15/
Threat name:
ByteCode-MSIL.Trojan.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 04:12:04 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7i3ina2huijd2j7n66dgxwbaa3benmdyybwycoaxs4azopfkfukq._file
Verdict:
unknown
Similar samples:
1ba68a19bea8cc34d1145e30c3edd928a4bbc35798f13c109be206eb7b8ac89a
AsyncRAT
5ae912c556f676264f800d3ab31aa932564b2dde8fae76f6dbeb8d568f92aee5
AsyncRAT
7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217
AsyncRAT
8e3c9001f9377d8c55aabd93e84e71e5b0eaa73bf783e880ef70476b442348b7
AsyncRAT
9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44
AsyncRAT
ac44cb33fc3c483e92ec55e10fc93a95e2eb86ddaedd666f77aff458bcf44ab2
AsyncRAT
cc43f37f9eb41430bbfb6f1515b65c5fd2bc7b7565701c71aa65731fdf46c288
AsyncRAT
e04335ac94e24921533541cae7480092fc25063caa280ebe3ed5a8697af3a844
AsyncRAT
f89a5f2fb9ba4e0e3714a51dff8ca9f56cc54f66368ceadf66e503942c4abac8
AsyncRAT
+ 313 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat suricata
Link:
https://tria.ge/reports/210806-6cgf85xbd6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
grant123four5.ddns.net:1515
194.5.98.64:1515
Unpacked files
SH256 hash:
fa36868347a2123d27edf7866bd82006c246b078c06d8138179701973caa2d15
MD5 hash:
4c0005443d6f0efe50a165339ffa60c0
SHA1 hash:
55a4b8647aa88c58d50b9ca5fdb78ec5ddb27a72
Link:
https://www.unpac.me/results/37620d71-2fcd-40e3-b9d2-cd34d7537545/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/fa36868347a2123d27edf7866bd82006c246b078c06d8138179701973caa2d15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176857/

Comments