MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0671d1cf46c957d8ca3084d500f4ccb2e71f5f687868cb5f113127e560422e76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0671d1cf46c957d8ca3084d500f4ccb2e71f5f687868cb5f113127e560422e76
SHA3-384 hash: b9ca03ab75c76e2567ed0a4f412abee10761e19bffd278f80e8a12dd91fec75722c580ab12cdf0532a61f306a595b094
SHA1 hash: d3efef68f92f8bb8702b201bada71b4eec09487b
MD5 hash: 056d09807a8b9ae8155031b9da0d099d
humanhash: jersey-carolina-football-neptune
File name:RU0028080707Z.VBS
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:501 bytes
First seen:2022-09-07 15:31:51 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:bE9CvKubLHlQxJH8iVNwQHKoX59VGQpwoqiR:g9+bL6/ciVNwQHKE5KoL
Threatray 5'097 similar samples on MalwareBazaar
TLSH T176F02E21866149DF2CCBD80B1655047EC8CDA18A8866A7A21BDAF9CC185C739F6DD062
Reporter 0xToxin
Tags:AsyncRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308559/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
schtasks.exe
Link:
https://www.filescan.io/uploads/6318b9fc55480bd187d3f997/reports/6269d176-fb64-4794-9823-982547840a2b/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066555
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 699093 Sample: RU0028080707Z.VBS.vbs Startdate: 07/09/2022 Architecture: WINDOWS Score: 100 78 windowsupdatebg.s.llnwi.net 2->78 80 israelpost.co.il 2->80 106 Snort IDS alert for network traffic 2->106 108 Multi AV Scanner detection for domain / URL 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 7 other signatures 2->112 12 wscript.exe 1 2->12         started        15 wscript.exe 1 2->15         started        17 wscript.exe 2->17         started        signatures3 process4 signatures5 120 VBScript performs obfuscated calls to suspicious functions 12->120 122 Wscript starts Powershell (via cmd or directly) 12->122 19 cmd.exe 1 12->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 17->24         started        process6 signatures7 114 Wscript starts Powershell (via cmd or directly) 19->114 116 Bypasses PowerShell execution policy 19->116 118 Uses schtasks.exe or at.exe to add and modify task schedules 19->118 26 powershell.exe 14 17 19->26         started        30 conhost.exe 19->30         started        32 powershell.exe 9 22->32         started        35 conhost.exe 22->35         started        37 powershell.exe 24->37         started        39 conhost.exe 24->39         started        process8 dnsIp9 92 superfaster1.is-found.org 45.14.224.94, 2001, 444, 49720 SPECTRAIPSpectraIPBVNL Netherlands 26->92 76 C:\Users\Public\FFF.PS1, ASCII 26->76 dropped 41 powershell.exe 3 36 26->41         started        100 Writes to foreign memory regions 32->100 102 Injects a PE file into a foreign processes 32->102 44 aspnet_compiler.exe 2 32->44         started        47 aspnet_compiler.exe 3 37->47         started        file10 signatures11 process12 dnsIp13 68 C:\ProgramData\MINI\xx.bat, ASCII 41->68 dropped 70 C:\ProgramData\MINI70YDYDSBERDSVERY.vbs, ASCII 41->70 dropped 72 C:\ProgramData\MINI72YDYDSBERDSVERY.bat, ASCII 41->72 dropped 74 C:\ProgramData\MINIbehaviorgraphLB4.PS1, ASCII 41->74 dropped 49 wscript.exe 1 41->49         started        52 chrome.exe 13 41->52         started        94 superziad.is-a-liberal.com 44->94 96 superhay.is-a-geek.com 44->96 98 2 other IPs or domains 44->98 file14 process15 dnsIp16 104 Wscript starts Powershell (via cmd or directly) 49->104 55 cmd.exe 1 49->55         started        82 192.168.2.1 unknown unknown 52->82 84 239.255.255.250 unknown Reserved 52->84 57 chrome.exe 52->57         started        signatures17 process18 dnsIp19 60 taskkill.exe 1 55->60         started        62 taskkill.exe 1 55->62         started        64 taskkill.exe 1 55->64         started        66 2 other processes 55->66 86 israelpost.co.il 66.22.35.41, 443, 49723, 49725 RADWAREIL United States 57->86 88 cdn.perfdrive.com 130.211.29.114, 443, 49751 GOOGLEUS United States 57->88 90 22 other IPs or domains 57->90 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0671d1cf46c957d8ca3084d500f4ccb2e71f5f687868cb5f113127e560422e76/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azy5dt2gzfl5rsrqqtkqb5gmwltr6x3ipbumwxyrget6kyccfz3a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1636595f5dd5eee39bb56d389f9839bb802029c77a8bebf2ab9893b51e8fb4f5
AsyncRAT
1eb738be8b7b77e57127ff63182b375aafd1b2e1c64d7518b35465fb81192ac8
AsyncRAT
6f105d359fe32edd24c3e5a441f3f8d3f4be7fad856ce7b0e606e9e18b742024
AsyncRAT
b55a7f2db36e14818a5f05352f8b35ddf412fc64919993d25dd9e5ff4b406f07
AsyncRAT
e8b15948351e4c8b67c73da3c3693b04d50348791370e607a25b884683d2ea46
AsyncRAT
f98939d066a7065b750c6813a1ba0557acf80bbf36b54a48b2bd51df82f66a87
AsyncRAT
+ 5'087 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220908-fwrdksahgj/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0671d1cf46c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0671d1cf46c957d8ca3084d500f4ccb2e71f5f687868cb5f113127e560422e76

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Visual Basic Script (vbs) vbs 0671d1cf46c957d8ca3084d500f4ccb2e71f5f687868cb5f113127e560422e76

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/308559/

Comments