MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 041201ea61adce22ef2f36f64f9ccac66d638bffcb043e48f53d33cc7d8692a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 041201ea61adce22ef2f36f64f9ccac66d638bffcb043e48f53d33cc7d8692a6
SHA3-384 hash: 2f27830f6c451c11fec5abf1108a9d61f5d4944b36bbc0fb725b4fdf898ac79e21a42632f12d3e833f3264e52f42c54b
SHA1 hash: de945f448741fd7f9130ba366e82f24fbff8b882
MD5 hash: 5766cb7fde4550d5b22abc76368cd73c
humanhash: texas-three-seventeen-wisconsin
File name:Shipping_Document-one__rw.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:50'582 bytes
First seen:2023-01-28 14:17:23 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:/jNbaYAiCAIpcC4HLSDq9/yamFjr6lI5ZiMWcFq:/iZKqTjkImCk
Threatray 3'001 similar samples on MalwareBazaar
TLSH T1B033E0F38B8A09FCD6A0DD8D768D8419E3CDD49D86014DECA60EC49E5FDD2721E88E08
Reporter c_APT_ure
Tags:AsyncRAT bat OneNote


Avatar
c_APT_ure
05d01d9b097c1a2b0135ebf2f89a3dbe Shipping_Document.one

5766cb7fde4550d5b22abc76368cd73c Shipping_Document_content/OneNoteAttachments/rw.bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Document.one
Verdict:
Malicious activity
Analysis date:
2023-01-27 21:33:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c168327f-a217-4b91-b596-55cf5ac9ffef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357747/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63d52e9a696b2d972574bcb5/reports/0011833c-3795-41be-a558-a3c62807d726/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
AsyncRAT, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160787
Signature
Bypasses PowerShell execution policy
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Renames powershell.exe to bypass HIPS
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 793524 Sample: Shipping_Document-one__rw.bat Startdate: 28/01/2023 Architecture: WINDOWS Score: 100 59 api.ip.sb 2->59 65 Snort IDS alert for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 3 other signatures 2->71 11 cmd.exe 2 2->11         started        signatures3 process4 file5 57 C:\...\Shipping_Document-one__rw.bat.exe, PE32+ 11->57 dropped 77 Suspicious powershell command line found 11->77 79 Bypasses PowerShell execution policy 11->79 81 Renames powershell.exe to bypass HIPS 11->81 15 Shipping_Document-one__rw.bat.exe 2 19 11->15         started        20 conhost.exe 11->20         started        signatures6 process7 dnsIp8 61 109.107.174.128, 49698, 49700, 49701 TELEPORT-TV-ASRU Russian Federation 15->61 49 C:\Users\user\AppData\Local\Temp\skwclw.bat, DOS 15->49 dropped 51 C:\Users\user\AppData\Local\Temp\dpabfu.bat, DOS 15->51 dropped 63 Tries to harvest and steal browser information (history, passwords, etc) 15->63 22 cmd.exe 1 15->22         started        25 cmd.exe 1 15->25         started        file9 signatures10 process11 signatures12 75 Suspicious powershell command line found 22->75 27 powershell.exe 10 22->27         started        29 conhost.exe 22->29         started        31 powershell.exe 10 25->31         started        33 conhost.exe 25->33         started        process13 process14 35 cmd.exe 2 27->35         started        39 cmd.exe 2 31->39         started        file15 53 C:\Users\user\AppData\...\dpabfu.bat.exe, PE32+ 35->53 dropped 41 dpabfu.bat.exe 5 35->41         started        43 conhost.exe 35->43         started        55 C:\Users\user\AppData\...\skwclw.bat.exe, PE32+ 39->55 dropped 73 Renames powershell.exe to bypass HIPS 39->73 45 skwclw.bat.exe 1 39->45         started        47 conhost.exe 39->47         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/041201ea61adce22ef2f36f64f9ccac66d638bffcb043e48f53d33cc7d8692a6/
Threat name:
Script-BAT.Trojan.ONDlder
Create hunting rule
Status:
Malicious
First seen:
2023-01-27 18:40:37 UTC
File Type:
Text (Batch)
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqjad2tbvxhcf3zpg33e7hgkyzwwhc77zmcd4shvhuz4y7mgskta._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
760de76033fc771ea58714885fc528d0b14ed5ef45f2080971687cc182883846
AsyncRAT
764250ddf94b90441193fe1c29754f231e0868d1878fdf3150e5744dd8d8c378
AsyncRAT
7f9558b222b78098c76f84c190fb28848c2f8e2e89cabfd7eb3ba83a6160c96d
AsyncRAT
8df28341644c2139c9d9dfb6231169c70fdb5a18daf628bac6307503f4d0b80f
AsyncRAT
bd45e50b3ec1e76b4cc8c018131921f5237a356b1dcbc9ec69fdf9788edbea58
AsyncRAT
e180cd1b7fcf1674287a2aa516901ab1491aaaf7d9beb067b8109e742d89a50b
AsyncRAT
+ 2'991 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/230128-rl9yqagf2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/041201ea61adce22ef2f36f64f9ccac66d638bffcb043e48f53d33cc7d8692a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Batch (bat) bat 041201ea61adce22ef2f36f64f9ccac66d638bffcb043e48f53d33cc7d8692a6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/357747/

Comments