MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fef26592bc2346c62716226db150d22f7e148ab630659ee4889c4bce481a977a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fef26592bc2346c62716226db150d22f7e148ab630659ee4889c4bce481a977a
SHA3-384 hash: 86f9234a3e49328278179cf6f158f87554cf0225c319fdd3fcabe44421a429dfe9201242472ec9f8e73bb00bb4ed3598
SHA1 hash: aabe2f8424a6307ee96bf402de8431e538fee867
MD5 hash: d860eae804b05b4eddadb553a1760ade
humanhash: two-illinois-lima-cup
File name:Documento1.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'098 bytes
First seen:2025-07-27 18:03:40 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:9AJwAHqaAXwwkRMMG2lcgUtP1u0KetJYYzoOl9uGq4Lwu2bVzEeqreqewx7:eCGRfvlclZ1u0bJJTLwnbE
TLSH T16511DD9D995FACB74D7322A4DB82120DEEB2EB132036C42A7A08DD0A17315F4A2483D3
Magika vba
Reporter smica83
Tags:AsyncRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17208/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6885aa59af3050dc8d316b99
Tags:
vmdetect autorun
Verdict:
Suspicious
Labled as:
Trojan.Script.VBS
Link:
https://www.hybrid-analysis.com/sample/fef26592bc2346c62716226db150d22f7e148ab630659ee4889c4bce481a977a
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1745127
Signature
Adds a directory exclusion to Windows Defender
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates multiple autostart registry keys
Disables Windows Defender (via service or powershell)
Found malware configuration
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Potential malicious VBS script found (has network functionality)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AsyncRAT
Yara detected VBS Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1745127 Sample: Documento1.vbs Startdate: 27/07/2025 Architecture: WINDOWS Score: 100 79 raw.githubusercontent.com 2->79 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 9 other signatures 2->93 11 wscript.exe 15 2->11         started        16 WindowsAtualizador.exe 2->16         started        18 driveb.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 85 raw.githubusercontent.com 185.199.111.133, 443, 49691 FASTLYUS Netherlands 11->85 73 C:\Users\user\AppData\Local\...\programa.exe, PE32+ 11->73 dropped 75 C:\...\Adobe%20-%20Leitor%20de%20PDF[1].exe, PE32+ 11->75 dropped 115 System process connects to network (likely due to code injection or exploit) 11->115 117 Benign windows process drops PE files 11->117 119 VBScript performs obfuscated calls to suspicious functions 11->119 121 2 other signatures 11->121 22 programa.exe 14 11->22         started        file6 signatures7 process8 file9 63 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 22->63 dropped 65 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 22->65 dropped 67 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 22->67 dropped 69 9 other malicious files 22->69 dropped 97 Multi AV Scanner detection for dropped file 22->97 99 Modifies Windows Defender protection settings 22->99 101 Adds a directory exclusion to Windows Defender 22->101 103 Disables Windows Defender (via service or powershell) 22->103 26 programa.exe 4 4 22->26         started        signatures10 process11 file12 71 C:\Users\user\...\WindowsAtualizador.exe, PE32 26->71 dropped 107 Creates multiple autostart registry keys 26->107 109 Modifies Windows Defender protection settings 26->109 111 Adds a directory exclusion to Windows Defender 26->111 113 Disables Windows Defender (via service or powershell) 26->113 30 WindowsAtualizador.exe 1 6 26->30         started        34 cmd.exe 1 26->34         started        36 cmd.exe 1 26->36         started        38 Acrobat.exe 26->38         started        signatures13 process14 file15 77 C:\Users\user\AppData\Roaming\driveb.exe, PE32 30->77 dropped 123 Multi AV Scanner detection for dropped file 30->123 125 Creates multiple autostart registry keys 30->125 127 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->127 129 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 30->129 40 cmd.exe 30->40         started        131 Modifies Windows Defender protection settings 34->131 133 Adds a directory exclusion to Windows Defender 34->133 135 Disables Windows Defender (via service or powershell) 34->135 42 powershell.exe 23 34->42         started        45 conhost.exe 34->45         started        47 powershell.exe 23 36->47         started        49 conhost.exe 36->49         started        51 AcroCEF.exe 38->51         started        signatures16 process17 signatures18 53 driveb.exe 40->53         started        57 conhost.exe 40->57         started        59 timeout.exe 40->59         started        105 Loading BitLocker PowerShell Module 47->105 61 AcroCEF.exe 51->61         started        process19 dnsIp20 81 187.39.145.4, 6606 CLAROSABR Brazil 53->81 95 Multi AV Scanner detection for dropped file 53->95 83 23.217.172.185, 443, 49700 AKAMAI-ASUS United States 61->83 signatures21
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/fef26592bc2346c62716226db150d22f7e148ab630659ee4889c4bce481a977a
Verdict:
Malware
YARA:
1 match(es)
Tags:
ADODB.Stream MSXML2.XMLHTTP Scripting.FileSystemObject VBScript WScript.Shell
Link:
https://app.malva.re/file/d860eae804b05b4eddadb553a1760ade
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fef26592bc2346c62716226db150d22f7e148ab630659ee4889c4bce481a977a/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.SLoad
Link:
https://tip.neiki.dev/file/fef26592bc2346c62716226db150d22f7e148ab630659ee4889c4bce481a977a
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-27 04:26:02 UTC
File Type:
Text (VBS)
AV detection:
1 of 24 (4.17%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=73zglev4endmmjywejw3cugsf57bjcvwgbsz5zeitrf44sa2s55a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware defense_evasion discovery execution persistence pyinstaller spyware
Link:
https://tria.ge/reports/250727-wnq1vadl3y/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
ConfuserEx .NET packer
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fef26592bc2346c62716226db150d22f7e148ab630659ee4889c4bce481a977a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17208/

Comments