MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff734df4d09afad52e931fce898a5497b78081fbca44f091e55a3da4b47c1350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff734df4d09afad52e931fce898a5497b78081fbca44f091e55a3da4b47c1350
SHA3-384 hash: 8ccc4118bcba45ac242df46b600c799a6f8a11b4a87942d26e7c7323c090b88f94fce9aeb51d1f2015180c4bbe310d20
SHA1 hash: a037c5953f8053f0243d725aad6991a354fdadc5
MD5 hash: 970b0aba184854999da1a9edcd199070
humanhash: friend-paris-ohio-pasta
File name:Reference Number -0022393899029288678.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:579'072 bytes
First seen:2020-11-05 09:37:32 UTC
Last seen:2020-11-05 11:51:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:eSKoy7rucAELooULJvw03P5YKpFFSXnK:srucACER9/5zFFf
Threatray 12 similar samples on MalwareBazaar
TLSH 98C4B6F440EE10A2E25F452576AE7EA402B2B1C7DBDB6E08137DE1710BBEA633B4550D
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: trenchless.in
Sending IP: 103.125.191.94
From: Account _maria <account@trenchless.in>
Subject: Re: Confirmation transfer
Attachment: Reference Number -0022393899029288678.zip (contains "Reference Number -0022393899029288678.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83169/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.4248.27908.18415.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/521208
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309703 Sample: Reference Number -002239389... Startdate: 05/11/2020 Architecture: WINDOWS Score: 84 59 freshg.ddns.net 2->59 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected AsyncRAT 2->67 69 5 other signatures 2->69 9 Reference Number -0022393899029288678.exe 1 4 2->9         started        12 logs.exe 2 2->12         started        15 vlc.exe 1 2->15         started        17 vlc.exe 2->17         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 9->53 dropped 55 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 9->55 dropped 57 Reference Number -...99029288678.exe.log, ASCII 9->57 dropped 19 Reference Number -0022393899029288678.exe 6 9->19         started        22 Reference Number -0022393899029288678.exe 9->22         started        71 Multi AV Scanner detection for dropped file 12->71 73 Machine Learning detection for dropped file 12->73 24 vlc.exe 3 15->24         started        27 vlc.exe 17->27         started        29 vlc.exe 17->29         started        signatures6 process7 dnsIp8 51 C:\Users\user\AppData\Roaming\logs.exe, PE32 19->51 dropped 31 cmd.exe 1 19->31         started        33 cmd.exe 1 19->33         started        61 freshg.ddns.net 185.140.53.141, 2256, 49732, 49733 DAVID_CRAIGGG Sweden 24->61 35 cmd.exe 24->35         started        file9 process10 process11 37 logs.exe 2 31->37         started        39 conhost.exe 31->39         started        41 timeout.exe 1 31->41         started        43 conhost.exe 33->43         started        45 schtasks.exe 1 33->45         started        47 conhost.exe 35->47         started        49 schtasks.exe 35->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff734df4d09afad52e931fce898a5497b78081fbca44f091e55a3da4b47c1350/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 02:32:25 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=75zu35gqtl5nklutd7hitcsus63ybap3zjcpbepfli62jnd4cnia._file
Verdict:
unknown
Similar samples:
1643306adbe8c7e38ee965ab974c1d074afc671c0e5aa0c2b50a18cc67036a50
AsyncRAT
23bd17fba8c0cb660dada2c952431dc7e335bbdfb8e34078da941a29652526d5
AsyncRAT
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
AsyncRAT
47aaf274ba6635b13798292366c06640a3dff0d314b56aabf0dc4f6d22ab5bd4
AsyncRAT
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
AsyncRAT
c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924
AsyncRAT
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
AsyncRAT
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
AsyncRAT
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
AsyncRAT
e69d8cb762149ef5d9cbc14ba3b4c1a48395c5261f9c404608a37c1807f1e19e
AsyncRAT
+ 2 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/201105-kr6td6j5ge/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AsyncRat
Malware Config
C2 Extraction:
:
Unpacked files
SH256 hash:
ff734df4d09afad52e931fce898a5497b78081fbca44f091e55a3da4b47c1350
MD5 hash:
970b0aba184854999da1a9edcd199070
SHA1 hash:
a037c5953f8053f0243d725aad6991a354fdadc5
Link:
https://www.unpac.me/results/71513340-db5c-4fff-abe0-c8738e5b1635/
SH256 hash:
f9d331ffb5c7f652a91085ee3791cdee589f6aade5c0403f3d2c9b28fa489664
MD5 hash:
3b602a9bf825e9d86460768fddbcafa8
SHA1 hash:
417270b1d1da8ff2165bb0026d456d27b3343412
Link:
https://www.unpac.me/results/71513340-db5c-4fff-abe0-c8738e5b1635/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/71513340-db5c-4fff-abe0-c8738e5b1635/
SH256 hash:
e19657cacab75a564e6e24ba4021fa2631767d16f2ff7ef50afa6557bf04fba8
MD5 hash:
cc4633dcc38ca8b35b6a8e7e1231f168
SHA1 hash:
fca75645ab2f3dc526ca1b06d22efdad5d13fd1b
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/71513340-db5c-4fff-abe0-c8738e5b1635/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip 940c4472c416674d16e45cf0bb7e93b166af317938f2fc3a1fd3f30f37c2cadd

AsyncRAT

Executable exe ff734df4d09afad52e931fce898a5497b78081fbca44f091e55a3da4b47c1350

(this sample)

  
Dropped by
MD5 2bec5fd09c85370af3cb17f1dc2a98cc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83169/
  
Dropped by
SHA256 940c4472c416674d16e45cf0bb7e93b166af317938f2fc3a1fd3f30f37c2cadd

Comments