MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0235537e89dc75052967f8ecf0dc6f0a57e5b078157409f344e7d8d60720a7dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0235537e89dc75052967f8ecf0dc6f0a57e5b078157409f344e7d8d60720a7dd
SHA3-384 hash: 49f49a53a14533f7084d4dcce4406d5239f0743a73b28590fb05a11f2b4692ae36ede262b082119fc795f26202765078
SHA1 hash: 84e70deef33d3e98346fea9fce35efc505eb0bc7
MD5 hash: 17a59db354f270147d5da27aa7978a3c
humanhash: enemy-beer-triple-virginia
File name:Documento.js
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'415 bytes
First seen:2025-04-21 21:54:50 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 48:RJj7mdr0hffr5WWrsKfjHMtjHMjHMWvW4FvZLTFrYWBr3vFr6hFrm35JFrsDFr53:RJ/mdsffr5WWrsKfrMtrMrMWvW4FvZLE
Threatray 104 similar samples on MalwareBazaar
TLSH T19A4180696401E78CDB5DD2DCB2088321F851AC1EB539DC20E1983AC4D2E85C3D57F755
Magika javascript
Reporter Anonymous
Tags:AsyncRAT js

Intelligence

File Origin
# of uploads :
1
# of downloads :
518
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6806bff72203b3e10cd26003
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/0235537e89dc75052967f8ecf0dc6f0a57e5b078157409f344e7d8d60720a7dd
Result
Threat name:
AsyncRAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1670617
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1670617 Sample: Documento.js Startdate: 21/04/2025 Architecture: WINDOWS Score: 100 28 deadpoolstart2050.duckdns.org 2->28 30 paste.ee 2->30 32 6 other IPs or domains 2->32 40 Suricata IDS alerts for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Yara detected PureLog Stealer 2->44 50 16 other signatures 2->50 9 wscript.exe 1 1 2->9         started        signatures3 46 Uses dynamic DNS services 28->46 48 Connects to a pastebin service (likely for C&C) 30->48 process4 dnsIp5 34 paste.ee 23.186.113.60, 443, 49710, 49711 KLAYER-GLOBALNL Reserved 9->34 52 System process connects to network (likely due to code injection or exploit) 9->52 54 JScript performs obfuscated calls to suspicious functions 9->54 56 Suspicious powershell command line found 9->56 58 3 other signatures 9->58 13 powershell.exe 15 16 9->13         started        signatures6 process7 dnsIp8 36 archive.org 207.241.224.2, 443, 49723 INTERNET-ARCHIVEUS United States 13->36 38 ia801700.us.archive.org 207.241.233.30, 443, 49724 INTERNET-ARCHIVEUS United States 13->38 60 Creates autostart registry keys with suspicious values (likely registry only malware) 13->60 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->62 64 Writes to foreign memory regions 13->64 66 Injects a PE file into a foreign processes 13->66 17 MSBuild.exe 2 13->17         started        20 cmd.exe 1 13->20         started        22 conhost.exe 13->22         started        signatures9 process10 dnsIp11 26 deadpoolstart2050.duckdns.org 177.255.84.173, 49726, 49727, 49728 ColombiaMovilCO Colombia 17->26 24 conhost.exe 20->24         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0235537e89dc75052967f8ecf0dc6f0a57e5b078157409f344e7d8d60720a7dd/
Threat name:
Script-JS.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-04-21 21:55:09 UTC
File Type:
Binary
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ai2vg7uj3r2qkklh7dwpbxdpbjl6lmdycv2at42e47mnmbzau7oq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
426e44e4c59eab5caeb33b5f0ab569c54fcba00a88def98a0ffacc0eedc59ad5
AsyncRAT
5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d
AsyncRAT
62c0672bd77beaab3e5546944e23f7db1f66a207d9eecbedcaaebb4bfc47b954
AsyncRAT
6744b66a3d8307ce51ec575669dfb2d0f11e00a36bb1e8c930db3a74c0cb4b89
AsyncRAT
9ec800488905166dc740c5c7513eb39d49c9a65ae6981b5df117fba7e3266025
AsyncRAT
cbb80b28d18b74f2e7c7cc25613250d84aa207b0b717262477584b5619a5ca12
AsyncRAT
error
AsyncRAT
fd324ca4274023352ae7ce6b53dbd06a8cd6ec81653dd0bc0bc0ef7987022485
AsyncRAT
+ 94 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250421-1st1hszjy3/
Behaviour
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0235537e89dc75052967f8ecf0dc6f0a57e5b078157409f344e7d8d60720a7dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments