MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcd5fc495b4f81bf91491b52e1759cf93794bf135fed6469a5d1e0663dfb6c3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcd5fc495b4f81bf91491b52e1759cf93794bf135fed6469a5d1e0663dfb6c3e
SHA3-384 hash: 7c7d70afaa7251a4625e1bc64659856243f391fa62ceb9d38943f1c66a260e2aead783da5eb2746d3fbc61964060e923
SHA1 hash: 17b5d2875f7e5ae18b192e0f99c26f8145f985ee
MD5 hash: 4d5f50841ae2d1f19a30b2e345844c21
humanhash: queen-hydrogen-pizza-iowa
File name:fcd5fc495b4f81bf91491b52e1759cf93794bf135fed6469a5d1e0663dfb6c3e
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:718'336 bytes
First seen:2021-09-22 13:21:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:8w8aW0/VaWlqilSM5rMHRt1bm8bunA6Zd9gGkPMtkbzshvAh1pyHaE1:Be0/wi4IrEvn6Zd9gNbzsqU
Threatray 1'836 similar samples on MalwareBazaar
TLSH T11DE4BB8DBA881363EC7DDCB4A9040D1CBB553AD73780F567978A21E7A35F0523A83B64
File icon (PE):PE icon
dhash icon e0f0e8cacae8e4f0 (1 x AsyncRAT)
Reporter JAMESWT_WT
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fcd5fc495b4f81bf91491b52e1759cf93794bf135fed6469a5d1e0663dfb6c3e
Verdict:
Malicious activity
Analysis date:
2021-09-22 14:01:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3394dd7-8a6b-4dc1-a789-d73c55a44457

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190244/
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6167d2e9-e356-4f07-b743-cf9a30cb4180
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855782
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488215 Sample: hW2DXhc712 Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 7 hW2DXhc712.exe 4 2->7         started        10 gg.exe 3 2->10         started        process3 signatures4 53 Writes to foreign memory regions 7->53 55 Tries to delay execution (extensive OutputDebugStringW loop) 7->55 57 Injects a PE file into a foreign processes 7->57 12 cmd.exe 3 7->12         started        15 cmd.exe 1 7->15         started        18 vbc.exe 2 7->18         started        59 Multi AV Scanner detection for dropped file 10->59 61 Machine Learning detection for dropped file 10->61 63 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->63 21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        25 vbc.exe 3 10->25         started        process5 dnsIp6 39 C:\Users\user\AppData\Roaming\gg\gg.exe, PE32 12->39 dropped 41 C:\Users\user\...\gg.exe:Zone.Identifier, ASCII 12->41 dropped 27 conhost.exe 12->27         started        65 Uses schtasks.exe or at.exe to add and modify task schedules 15->65 29 conhost.exe 15->29         started        31 schtasks.exe 1 15->31         started        43 exelelo.zapto.org 94.204.143.223, 7707 DU-AS1AE United Arab Emirates 18->43 33 conhost.exe 21->33         started        35 schtasks.exe 1 21->35         started        37 conhost.exe 23->37         started        file7 signatures8 process9
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fcd5fc495b4f81bf91491b52e1759cf93794bf135fed6469a5d1e0663dfb6c3e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 01:50:00 UTC
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tk7ysk3j6a37ekjdnjoc5m47e3zjpytl7wwi2nf2hqgmpp3nq7a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
26bec6114e67239a103b0c33fef33c802a77703a71ef3a204222454b994dbcf4
AsyncRAT
4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7
AsyncRAT
507cd77f0000cc2af40601e9121683769ea55d389a1df1c7832a103785711fb4
AsyncRAT
977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1
AsyncRAT
c92748428af1806d4ecc702bce8ad9abcac6b738e7208d3586450cb4944a87a9
AsyncRAT
f051b1c9df37c1d4236c98b54883d4005572910949a1be18ab6ead13754147dc
AsyncRAT
f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520
AsyncRAT
f5cb1fde3016b1c8c6927d64cca4a84f81987b50382c19b42c4e1b5f137360f2
AsyncRAT
+ 1'826 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:asas rat
Link:
https://tria.ge/reports/210922-ql9saafdam/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
exelelo.zapto.org:7707
Unpacked files
SH256 hash:
bf099c5dba98d38c892b103aa79480dd5257e3ac52b09fff2602370ad9491af2
MD5 hash:
086cf3c91f31a4b693a84da73e4ae88a
SHA1 hash:
161dad90a46ae2e2771f19f45f091b4a3403b7aa
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/25af646c-5ec8-4797-8ac7-59ee877d8157/
SH256 hash:
fcd5fc495b4f81bf91491b52e1759cf93794bf135fed6469a5d1e0663dfb6c3e
MD5 hash:
4d5f50841ae2d1f19a30b2e345844c21
SHA1 hash:
17b5d2875f7e5ae18b192e0f99c26f8145f985ee
Link:
https://www.unpac.me/results/25af646c-5ec8-4797-8ac7-59ee877d8157/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcd5fc495b4f81bf91491b52e1759cf93794bf135fed6469a5d1e0663dfb6c3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190244/

Comments