MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0671d1cf46c957d8ca3084d500f4ccb2e71f5f687868cb5f113127e560422e76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AsyncRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments

SHA256 hash: 0671d1cf46c957d8ca3084d500f4ccb2e71f5f687868cb5f113127e560422e76
SHA3-384 hash: b9ca03ab75c76e2567ed0a4f412abee10761e19bffd278f80e8a12dd91fec75722c580ab12cdf0532a61f306a595b094
SHA1 hash: d3efef68f92f8bb8702b201bada71b4eec09487b
MD5 hash: 056d09807a8b9ae8155031b9da0d099d
humanhash: jersey-carolina-football-neptune
File name:RU0028080707Z.VBS
Download: download sample
Signature AsyncRAT
File size:501 bytes
First seen:2022-09-07 15:31:51 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:bE9CvKubLHlQxJH8iVNwQHKoX59VGQpwoqiR:g9+bL6/ciVNwQHKE5KoL
Threatray 5'097 similar samples on MalwareBazaar
TLSH T176F02E21866149DF2CCBD80B1655047EC8CDA18A8866A7A21BDAF9CC185C739F6DD062
Reporter 0xToxin
Tags:AsyncRAT vbs

Intelligence


File Origin
# of uploads :
1
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
schtasks.exe
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 699093 Sample: RU0028080707Z.VBS.vbs Startdate: 07/09/2022 Architecture: WINDOWS Score: 100 78 windowsupdatebg.s.llnwi.net 2->78 80 israelpost.co.il 2->80 106 Snort IDS alert for network traffic 2->106 108 Multi AV Scanner detection for domain / URL 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 7 other signatures 2->112 12 wscript.exe 1 2->12         started        15 wscript.exe 1 2->15         started        17 wscript.exe 2->17         started        signatures3 process4 signatures5 120 VBScript performs obfuscated calls to suspicious functions 12->120 122 Wscript starts Powershell (via cmd or directly) 12->122 19 cmd.exe 1 12->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 17->24         started        process6 signatures7 114 Wscript starts Powershell (via cmd or directly) 19->114 116 Bypasses PowerShell execution policy 19->116 118 Uses schtasks.exe or at.exe to add and modify task schedules 19->118 26 powershell.exe 14 17 19->26         started        30 conhost.exe 19->30         started        32 powershell.exe 9 22->32         started        35 conhost.exe 22->35         started        37 powershell.exe 24->37         started        39 conhost.exe 24->39         started        process8 dnsIp9 92 superfaster1.is-found.org 45.14.224.94, 2001, 444, 49720 SPECTRAIPSpectraIPBVNL Netherlands 26->92 76 C:\Users\Public\FFF.PS1, ASCII 26->76 dropped 41 powershell.exe 3 36 26->41         started        100 Writes to foreign memory regions 32->100 102 Injects a PE file into a foreign processes 32->102 44 aspnet_compiler.exe 2 32->44         started        47 aspnet_compiler.exe 3 37->47         started        file10 signatures11 process12 dnsIp13 68 C:\ProgramData\MINI\xx.bat, ASCII 41->68 dropped 70 C:\ProgramData\MINI70YDYDSBERDSVERY.vbs, ASCII 41->70 dropped 72 C:\ProgramData\MINI72YDYDSBERDSVERY.bat, ASCII 41->72 dropped 74 C:\ProgramData\MINIbehaviorgraphLB4.PS1, ASCII 41->74 dropped 49 wscript.exe 1 41->49         started        52 chrome.exe 13 41->52         started        94 superziad.is-a-liberal.com 44->94 96 superhay.is-a-geek.com 44->96 98 2 other IPs or domains 44->98 file14 process15 dnsIp16 104 Wscript starts Powershell (via cmd or directly) 49->104 55 cmd.exe 1 49->55         started        82 192.168.2.1 unknown unknown 52->82 84 239.255.255.250 unknown Reserved 52->84 57 chrome.exe 52->57         started        signatures17 process18 dnsIp19 60 taskkill.exe 1 55->60         started        62 taskkill.exe 1 55->62         started        64 taskkill.exe 1 55->64         started        66 2 other processes 55->66 86 israelpost.co.il 66.22.35.41, 443, 49723, 49725 RADWAREIL United States 57->86 88 cdn.perfdrive.com 130.211.29.114, 443, 49751 GOOGLEUS United States 57->88 90 22 other IPs or domains 57->90 process20
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Visual Basic Script (vbs) vbs 0671d1cf46c957d8ca3084d500f4ccb2e71f5f687868cb5f113127e560422e76

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments