MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd80116dffb4a52d6a31d33d06f3ff943c38f6ada8fd3d9e9ffaeb0422a010a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 8 File information Comments

SHA256 hash:	fd80116dffb4a52d6a31d33d06f3ff943c38f6ada8fd3d9e9ffaeb0422a010a9
SHA3-384 hash:	ced55e25b7c49cd68de5d746eddd9ef5b927c91b799738bb0fc1391cdfdbb3778802c1bbbdc67f20212bbe391e99a55d
SHA1 hash:	f6d4b908eb0879c13716f93581a2aa5fe31b792b
MD5 hash:	e6b54146eb295792de721286a0c205f3
humanhash:	seven-comet-oven-pluto
File name:	Preview.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	32'768 bytes
First seen:	2021-06-15 08:56:37 UTC
Last seen:	2021-06-15 09:52:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	384:f9WzaeQoyRhDEhAQR1W+1R3WekiqvEXPXebr5h19G+uXr+br3W4YMBJSWKDTkI/Z:f5eQjdaXGNiqvEfs5hKP+bz9f0D41LO
Threatray	1'094 similar samples on MalwareBazaar
TLSH	55E2095393482AB4C46A377D94796B8437BA7FC159B3CA2C180530033EF3F162A69ED9
Reporter	abuse_ch
Tags:	AsyncRAT exe RAT

abuse_ch

AsyncRAT C2:
46.243.150.151:38259

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
46.243.150.151:38259	https://threatfox.abuse.ch/ioc/115835/

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Preview.exe

Verdict:

Malicious activity

Analysis date:

2021-06-15 08:59:29 UTC

Tags:

trojan rat asyncrat

Link:

https://app.any.run/tasks/f83aae95-62be-420b-83fb-5fd074baea2f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/166429/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.31290.12293.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Creating a file

Moving a recently created file

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a service

Sending a UDP request

Deleting a recently created file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/6cd68aeb-2523-4d13-83cc-ce6686a4c351

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

evad

Score:

29 / 100

Link:

https://www.joesandbox.com/analysis/802270

Signature

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

asyncrat

Link:

https://mwdb.cert.pl/sample/fd80116dffb4a52d6a31d33d06f3ff943c38f6ada8fd3d9e9ffaeb0422a010a9/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2021-06-15 08:57:09 UTC

AV detection:

8 of 46 (17.39%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7wabc3p7wsss22rr2m6qn477sq6dr5vnvd6t3hu77lvqiivaccuq._file

Verdict:

malicious

Label(s):

asyncrat

AsyncRAT

1578d1e95037312fdbb8e0f46f086316e68bad3b9c8cd9a5a9a113fc6a883b90

AsyncRAT

19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0

AsyncRAT

1b7afa2a07f65c2cb04454ba72f066bdc4daf640ad3b75cfac5fe82eed6c2c76

AsyncRAT

34f8bcf6b03161c345bac8ab9238cbe95865e69d25f597ca111bf22b0f887717

AsyncRAT

3749646ab64511b608918d8aacb89dfaee1bc8a0be15247ee7e804f9f7be6627

AsyncRAT

4570649013c21a25f6e926d8e0b37fadd0120425b3e0215a69dd9e00fa358f8a

AsyncRAT

869147dc42f117713c1b9070d615deda8ff7d7baf8c5baea4ccee3c21829fa96

AsyncRAT

bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a

AsyncRAT

c52ddeac61f16fb23ff925617fba081392b7aabe47c82c765513755d38e62cde

AsyncRAT

+ 1'084 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://tria.ge/reports/210615-e2sp28qf3j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Loads dropped DLL

Executes dropped EXE

Nirsoft

Unpacked files

SH256 hash:

fd80116dffb4a52d6a31d33d06f3ff943c38f6ada8fd3d9e9ffaeb0422a010a9

MD5 hash:

e6b54146eb295792de721286a0c205f3

SHA1 hash:

f6d4b908eb0879c13716f93581a2aa5fe31b792b

Link:

https://www.unpac.me/results/5e2ffe9e-a80b-4a27-bbd1-9ec68e201b6c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/fd80116dffb4a52d6a31d33d06f3ff943c38f6ada8fd3d9e9ffaeb0422a010a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse Create hunting rule
Author:	ditekSHen
Description:	Detects file containing reversed ASEP Autorun registry keys

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

Rule name:	win_asyncrat_w0 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/166429/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample