MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd5787f252991130457a5aaa488942f167cfc8b8655a9a1ea2746906cb0a3768. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd5787f252991130457a5aaa488942f167cfc8b8655a9a1ea2746906cb0a3768
SHA3-384 hash: bd8de62f09d3831a33b4eefd4d86b2003284fda2e5ee9b0ac4a509eabfcfa9e601810fb6aace070e148e7142f76cb6eb
SHA1 hash: b5f7704c2e7ecac0a043a1d5d4a4138bee9abddd
MD5 hash: a17c1859671b6fc660a8877cf8ff5a87
humanhash: double-rugby-india-coffee
File name:IMG_20201122164730,XLS.scr
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:281'600 bytes
First seen:2020-07-22 08:46:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:Q6A9jUTk5ZRjE8HRv42GhNz6mRbv0OvHUvdju:rAiYn5Xxv42iNz6mF0OvH
Threatray 411 similar samples on MalwareBazaar
TLSH 7554BF197F814438C63E0AFB48E750D4A2B5DD23B512DE1E34CAB278CE736975B82587
Reporter abuse_ch
Tags:AsyncRAT scr


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: fav.server.vps
Sending IP: 184.175.86.138
From: Lisa Du <lisadu@ctsfreight.com>
Subject: 答复: 答复: WX17-0583订舱 CSHUA7080473 进仓单
Attachment: è¿›ä»“å • 20201122164730,XLS.z (contains "IMG_20201122164730,XLS.scr")

AsyncRAT C2:
panda45.duckdns.org:62727 (62.102.148.158)

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30962/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Njrat.3901.6088.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/394756
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249784 Sample: IMG_20201122164730,XLS.scr Startdate: 23/07/2020 Architecture: WINDOWS Score: 84 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected AsyncRAT 2->34 36 5 other signatures 2->36 7 IMG_20201122164730,XLS.exe 6 2->7         started        10 pcalua.exe 1 1 2->10         started        12 pcalua.exe 1 2->12         started        process3 file4 24 C:\Users\user\AppData\...\h3LHvp9KlRx.exe, PE32 7->24 dropped 26 C:\Users\...\h3LHvp9KlRx.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\...\IMG_20201122164730,XLS.exe.log, ASCII 7->28 dropped 14 h3LHvp9KlRx.exe 2 7->14         started        17 cmd.exe 1 7->17         started        process5 signatures6 40 Antivirus detection for dropped file 14->40 42 Multi AV Scanner detection for dropped file 14->42 44 Machine Learning detection for dropped file 14->44 19 reg.exe 1 1 17->19         started        22 conhost.exe 17->22         started        process7 signatures8 38 Creates an autostart registry key pointing to binary in C:\Windows 19->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd5787f252991130457a5aaa488942f167cfc8b8655a9a1ea2746906cb0a3768/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 08:48:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7vlyp4ssteitarl2lkverckc6ft47sfymvnjuhvcoruqnsykg5ua._file
Verdict:
malicious
Similar samples:
19d23d06b49ced25b47d72f5338af4fa1fc533cce85dcaff4286e0da31054a38
AsyncRAT
1cf9635133972859e226ccff6a787c9bb8d2ca6471ae5a9650b3841625072444
AsyncRAT
32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb
AsyncRAT
49a63eb1c6fd5d4b22396bb8a8397c3bf124c3f94d104bc2a7a304f4457b4526
AsyncRAT
49e632e838ac0139428e5642877ed012359df09fbe438637be2de99dcb68d73d
AsyncRAT
581d4ba63e52707e1839c7d2c026c847d788b8b3025046bdb491f95a431ca1f7
AsyncRAT
5da82dd52f913ff5d416ec5479133a0f89cd5d835d2fbd964f32191f642ca9fa
AsyncRAT
83ef26bdf4b6b513417a97c8997aa2152bc0fb0f0af9d0b30cf6a46d4959ce38
AsyncRAT
c926c7de61dd7fe8057e5142bbf2263004191728bc8ba132136a2fc4b7353584
AsyncRAT
d7b0f275997cb07e5a97600fb21eb19d14096352af7990797f863b74941a1603
AsyncRAT
+ 401 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:asyncrat
Link:
https://tria.ge/reports/200722-fdb8e7vdlj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd5787f252991130457a5aaa488942f167cfc8b8655a9a1ea2746906cb0a3768

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

z 4ba6da704c58b44ac4baf121e52ceca2542d1b2c9efc358f91b4c78ab39bbcf5

AsyncRAT

Executable exe fd5787f252991130457a5aaa488942f167cfc8b8655a9a1ea2746906cb0a3768

(this sample)

  
Dropped by
MD5 d45371a579e4839eb47571c42c991c6b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30962/
  
Dropped by
SHA256 4ba6da704c58b44ac4baf121e52ceca2542d1b2c9efc358f91b4c78ab39bbcf5

Comments