MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fba5658815c50ae760c7baf3e1bd1bc7f3f78a7bf71066c4b4502b755b35826c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fba5658815c50ae760c7baf3e1bd1bc7f3f78a7bf71066c4b4502b755b35826c
SHA3-384 hash: 2885c7f0255b29862a70f2971acce1c5398a3ef6984b048f05502633f873d888ae2f36ffe536b563591bb32f15775860
SHA1 hash: 8ae697c2bce8190f4bc324e0553ca111dd9bb8a6
MD5 hash: 9be5fc19a414a94352b127af2424ac86
humanhash: missouri-jupiter-pizza-edward
File name:AWB#5305323204643,pdf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:184'320 bytes
First seen:2020-05-20 06:54:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 3072:+Xd+bE8o3MBNQt6DP3tuHuvF08WkKalIWIMWsnoJZleFWKb+tRi4d3Y:+Xd+b5o3MBE5uvF08W/vM/2C7b+t84do
Threatray 849 similar samples on MalwareBazaar
TLSH E4047B5631696B1BC9ED50F9449A608447F05EB71292F3CA8CC6B1EB32D2BF7CA016C7
Reporter abuse_ch
Tags:AsyncRAT exe FedEx nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: [193.56.28.18]
Sending IP: 193.56.28.18
From: FedEx <track@fedex.com>
Subject: FedEx's AWB#5305323204643 - Information is required
Attachment: AWB5305323204643,pdf.iso (contains "AWB#5305323204643,pdf.exe")

AsyncRAT C2:
185.244.29.203:9980

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 07:16:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7oswlcavyufooyghxlz6dpi3y7z7pct364ignrfukavxkwzvqjwa._file
Verdict:
suspicious
Similar samples:
00b85c15e241bfcd6a5a9d64029e117876da5029b60b8f4828f859277dafc6f2
AsyncRAT
3aed1fc591ecfec392005089c870bd1f645f352a99912c1de774918e1de67f8d
AsyncRAT
4cc5578e9b753897ef8d0659635de7aab82fe0e17b99caf8b622ba16b0ebb764
AsyncRAT
55187d6c2f610a3ce371a1fc9771ad42d90b7266c5e9ea45fced7acf9fe0ad13
AsyncRAT
664f6eaa9564770b3bcf02dd9f3627bde68bf98de0d9ae17829a1b122060a313
AsyncRAT
705f488d08262ffb7161421b0de427be7e83342895cd6af5f5f7aad593725d34
AsyncRAT
7d02ae5ae3ed3b7a13ff5495174216ea3195764d7154b8e9b4997c74fd08fb09
AsyncRAT
917a439a351ee055fe06848482c69532a15a101f4ec2c2a6faad04a505547436
AsyncRAT
95acc9e5d834d2fbd969547ccac5209bb66cffe2fcf772ba33267423961d3fd9
AsyncRAT
c4bb2da6ebc3708faa91997e5863224a41e8f177793064728f8a0a3201da46a2
AsyncRAT
+ 839 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat coreentity rat rezer0
Link:
https://tria.ge/reports/201109-vj5479zyyn/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Async RAT payload
rezer0
AsyncRat
CoreEntity .NET Packer
Malware Config
C2 Extraction:
null:null
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

iso e3ec61e0c6ac38b3d6d1371fa70634fa7f1b9bbefc7b2980d875982ba852ec63

AsyncRAT

Executable exe fba5658815c50ae760c7baf3e1bd1bc7f3f78a7bf71066c4b4502b755b35826c

(this sample)

  
Dropped by
MD5 5cc5eb847777a649da39a1b452be18eb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e3ec61e0c6ac38b3d6d1371fa70634fa7f1b9bbefc7b2980d875982ba852ec63

Comments