MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa6fd44de656f41293993f86f047f08dd0e354ddae23f48f24c1eb4666565de6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa6fd44de656f41293993f86f047f08dd0e354ddae23f48f24c1eb4666565de6
SHA3-384 hash: 80ce7b26d5a355419583f64b5b748933ed3a2f45d8f9f49ac8e40cea0818d8672b61fe9db4d9091554abdbac9931138b
SHA1 hash: a63797f7520ac7c915ac6415a8f8d410a88abc4a
MD5 hash: 826f4136e490aa722a6dfe4c43b26992
humanhash: harry-lima-four-seventeen
File name:fa6fd44de656f41293993f86f047f08dd0e354ddae23f48f24c1eb4666565de6
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'484'800 bytes
First seen:2020-11-15 23:19:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cd6c8cceda8b0e47cf64c5128fde3f69 (17 x Loki, 9 x NanoCore, 8 x AsyncRAT)
ssdeep 24576:ZSZ7x5jlq8H4Y9n3YcddMaCyQJynnBJHPAj9KUoOYzIo9ULq3:Zyjj8JehdSJcf4hKUoOY0uULq3
Threatray 2'472 similar samples on MalwareBazaar
TLSH 4A65D02EB1A14437CD622A3DC80B5764A831BD313F65B58E3BEF18489F7965D3829393
Reporter seifreed
Tags:AsyncRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Undefined-6662925-0
Create hunting rule

Win.Dropper.Undefined-6663182-0
Create hunting rule

Win.Malware.Dapato-9779765-0
Create hunting rule

Win.Malware.Generic-9784581-0
Create hunting rule

Win.Malware.Generic-9784689-0
Create hunting rule

Win.Trojan.Generickdz-9784846-0
Create hunting rule

Win.Trojan.Netwire-9784905-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Deleting a recently created file
Connection attempt
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536887
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317543 Sample: c6sMOK3rYy Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected AntiVM_3 2->35 37 Yara detected AsyncRAT 2->37 39 3 other signatures 2->39 7 c6sMOK3rYy.exe 2->7         started        10 wscript.exe 1 2->10         started        process3 signatures4 41 Detected unpacking (changes PE section rights) 7->41 43 Detected unpacking (creates a PE file in dynamic memory) 7->43 45 Detected unpacking (overwrites its own PE header) 7->45 47 5 other signatures 7->47 12 c6sMOK3rYy.exe 7->12         started        15 notepad.exe 1 7->15         started        17 c6sMOK3rYy.exe 10->17         started        process5 signatures6 49 Writes to foreign memory regions 12->49 51 Allocates memory in foreign processes 12->51 53 Maps a DLL or memory area into another process 12->53 19 c6sMOK3rYy.exe 2 12->19         started        22 notepad.exe 1 12->22         started        55 Drops VBS files to the startup folder 15->55 57 Delayed program exit found 15->57 24 notepad.exe 1 17->24         started        27 c6sMOK3rYy.exe 17->27         started        process7 dnsIp8 31 52.233.66.100, 7707 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->31 29 C:\Users\user\AppData\Roaming\...\Skype.vbs, ASCII 24->29 dropped file9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa6fd44de656f41293993f86f047f08dd0e354ddae23f48f24c1eb4666565de6/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:22:17 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jx5itpgk32bfe4zh6dpar7qrxiogvg5vyr7jdzeyhvumzswlxta._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0b84a62fb1d8d120b92b316c02bdf18af2de5c0c5cd09f55b66e24899a4a6360
AsyncRAT
2cd90fecf4222117ecf6478b1ead6bfa0d059303949f0cd91654b9b92d78ec09
AsyncRAT
4075e5cedf262f587538979cd6d62ff4b0fc5bdf7f9a4b770ae9e297ea7c9fcc
AsyncRAT
4457d49095a509a84ce5c9796b7470c03a95638e1f628882cb8f6331b0153efb
AsyncRAT
46bf7a6257a12bb2e56d9770eebc93606d9cf3f1f3af49ba987ebfef0ddb6216
AsyncRAT
56f27a73c491313639665758a863f1d00871d0b37077a03bfd5d50a4689d273d
AsyncRAT
6fa08611480dab2f2adf82fa81e9b40bedb5a8d82903029da4029250ff8bbf65
AsyncRAT
812a2ed477ffdac4f86746d587fd8a34ac9c1f6b65c15a38ac08079c32ecfdce
AsyncRAT
ac8fcffe7966af957a58b52c744c026eff7acc393ffbc57d0fe9e8c2d901f68e
AsyncRAT
e678a72b6f30f69daafd945543d4bb3e58152c37f8a7b883ce96b9ddf1c1c482
AsyncRAT
+ 2'462 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
fa6fd44de656f41293993f86f047f08dd0e354ddae23f48f24c1eb4666565de6
MD5 hash:
826f4136e490aa722a6dfe4c43b26992
SHA1 hash:
a63797f7520ac7c915ac6415a8f8d410a88abc4a
Link:
https://www.unpac.me/results/a7171d24-dddd-46f9-bfbe-0f9cfc437ebb/
SH256 hash:
1d2957a1490a2223e3516b76486aece16871caed5d5278adbe3864347d77aa10
MD5 hash:
fd050a4850c93f30d89689423e17a04b
SHA1 hash:
c81219327ca0ff489d4a024c9cc16618a9a1778c
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/a7171d24-dddd-46f9-bfbe-0f9cfc437ebb/
Parent samples :
cabc274ac3286b10f71d65ba8165a24dd28c654bf20dec7f96b5b71dff3964fb
46bf7a6257a12bb2e56d9770eebc93606d9cf3f1f3af49ba987ebfef0ddb6216
2cd90fecf4222117ecf6478b1ead6bfa0d059303949f0cd91654b9b92d78ec09
ac8fcffe7966af957a58b52c744c026eff7acc393ffbc57d0fe9e8c2d901f68e
fa6fd44de656f41293993f86f047f08dd0e354ddae23f48f24c1eb4666565de6
727a720f0ed8942d28c1cf7e7185f868706dcd2693f2868e6b5932f382020a39
SH256 hash:
8ea91752f5c7f35ac556ad9eeb50733e6a4e68b69520a834a4eca3f4d3dc857a
MD5 hash:
061ea5e590055a6c932b383fcaf2b055
SHA1 hash:
d9dc6848a6d71101b786df1bd97439f0a70cb8f3
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/a7171d24-dddd-46f9-bfbe-0f9cfc437ebb/
Parent samples :
cabc274ac3286b10f71d65ba8165a24dd28c654bf20dec7f96b5b71dff3964fb
46bf7a6257a12bb2e56d9770eebc93606d9cf3f1f3af49ba987ebfef0ddb6216
2cd90fecf4222117ecf6478b1ead6bfa0d059303949f0cd91654b9b92d78ec09
ac8fcffe7966af957a58b52c744c026eff7acc393ffbc57d0fe9e8c2d901f68e
fa6fd44de656f41293993f86f047f08dd0e354ddae23f48f24c1eb4666565de6
727a720f0ed8942d28c1cf7e7185f868706dcd2693f2868e6b5932f382020a39
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa6fd44de656f41293993f86f047f08dd0e354ddae23f48f24c1eb4666565de6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments