MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663
SHA3-384 hash: 5e1f70da93b73f53fb4cd680acecd8ff0d2c8ee86e575eca0b582c2426ced3353c72b1ed8f652f9948f3b02d9b2a4d77
SHA1 hash: bf949f2cb7457bcc173e0b98f656be133a088225
MD5 hash: f5bfac09b17af66506e500ce22c71f92
humanhash: earth-butter-chicken-king
File name:Passenger Itinerary.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:80'636 bytes
First seen:2024-12-12 14:26:20 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:9dKIP+7Eys+3Xe05WVD8/PSfxDrtlsMKePYPm9nPJ6oMM:9dKIP8EyF3rqD8/2xvtBP0InR6NM
Threatray 425 similar samples on MalwareBazaar
TLSH T1E773CFB44B1B0799FF3165F3FAC88C0A7474CAB6CCA08B60D8589E780DB556B0FA551B
Magika vba
Reporter JAMESWT_WT
Tags:AsyncRAT emptyservices-xyz vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675af464e19061cac7f0030f
Tags:
shell virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/675af2c8e2b28ac5ea14830b/reports/1892ea07-33cb-4e72-aa89-4ee932a0aa25/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1573769
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Performs DNS queries to domains with low reputation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573769 Sample: Passenger Itinerary.vbs Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 68 emptyservices.xyz 2->68 76 Sigma detected: Register Wscript In Run Key 2->76 78 Antivirus detection for URL or domain 2->78 80 Antivirus detection for dropped file 2->80 84 8 other signatures 2->84 11 wscript.exe 2 2->11         started        15 wscript.exe 2->15         started        17 wscript.exe 1 2->17         started        signatures3 82 Performs DNS queries to domains with low reputation 68->82 process4 file5 60 C:\Users\user\AppData\Local\Temp\system.bat, DOS 11->60 dropped 90 VBScript performs obfuscated calls to suspicious functions 11->90 92 Suspicious powershell command line found 11->92 94 Wscript starts Powershell (via cmd or directly) 11->94 96 2 other signatures 11->96 19 cmd.exe 1 11->19         started        22 powershell.exe 14 15 11->22         started        24 cmd.exe 15->24         started        26 cmd.exe 1 17->26         started        signatures6 process7 signatures8 86 Suspicious powershell command line found 19->86 88 Wscript starts Powershell (via cmd or directly) 19->88 28 powershell.exe 4 31 19->28         started        31 conhost.exe 19->31         started        33 cmd.exe 1 19->33         started        35 conhost.exe 22->35         started        37 powershell.exe 24->37         started        45 2 other processes 24->45 39 conhost.exe 26->39         started        41 cmd.exe 26->41         started        43 powershell.exe 26->43         started        process9 file10 62 C:\Users\user\AppData\...\Windows_Log_135.vbs, ASCII 28->62 dropped 64 C:\Users\user\AppData\...\Windows_Log_135.bat, DOS 28->64 dropped 47 wscript.exe 1 28->47         started        66 \Device\ConDrv, ASCII 37->66 dropped process11 signatures12 98 Wscript starts Powershell (via cmd or directly) 47->98 50 cmd.exe 1 47->50         started        process13 signatures14 72 Suspicious powershell command line found 50->72 74 Wscript starts Powershell (via cmd or directly) 50->74 53 powershell.exe 50->53         started        56 conhost.exe 50->56         started        58 cmd.exe 1 50->58         started        process15 dnsIp16 70 45.149.241.239, 1978, 49833, 49891 UUNETUS Germany 53->70
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqkraxhz4z3we3k5tusvecy52etzxof4f3uca6d5b7ghn3gt4zrq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320
AsyncRAT
1a5910ce3b26031816250a63e0c2d77d14b73aafa45623d01f1d2de9bd46bdbe
AsyncRAT
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd
AsyncRAT
6d09d43c755d5081924748104ac487afadaf68add75d85feb2a256de032a5e2c
AsyncRAT
6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff
AsyncRAT
9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e
AsyncRAT
a678475627246ac2716b5618ec5010e67660ab4441367bee23de473449d98c11
AsyncRAT
ce438c103a40dbd12f48547c2d8604c947232376f87eadd1a2da3b7bfac28d02
AsyncRAT
error
AsyncRAT
+ 415 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default execution rat
Link:
https://tria.ge/reports/241212-rse2xsypcl/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
45.149.241.239:1978
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments