MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09d937ee537c87196fe5538f70fe3a5645f4cc3c32c21550af9d8ee069b16e26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09d937ee537c87196fe5538f70fe3a5645f4cc3c32c21550af9d8ee069b16e26
SHA3-384 hash: c2ca5eff8a9ce8524ab54566cf2cfbf28be4a1321515ca29f8bd19d94fbbb1a75870d7e1f5ce7a473fdf71621bef33a6
SHA1 hash: f9967a31145a8cd584b967f3babded3e4398df74
MD5 hash: 155bab4ddf61e2444691de6377c6c4ee
humanhash: red-purple-white-social
File name:Itinerary Details.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:54'545 bytes
First seen:2022-04-08 18:20:53 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:9WuuNOBM0HnMBHSMb+5AMHBEdR+5AMHBdkdnMy0KbjMeBduuNOBM0HnMBHSMb+5D:aVtWadMrIt6GDMs6MSmWc4yIim
Threatray 2'129 similar samples on MalwareBazaar
TLSH T1A333C9C1A71C1631127CBED5BD08FBAF4EB3A0FCFAC247EAC288D51924A542585735E6
Reporter proxylife
Tags:AsyncRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262218/
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973468
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Connects to a pastebin service (likely for C&C)
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Schedule VBS From Appdata
Sigma detected: Suspicious Process Parents
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected RUNPE
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 605953 Sample: Itinerary Details.vbs Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 109 n0fuzga.publicvm.com 2->109 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 14 other signatures 2->129 11 wscript.exe 1 2->11         started        14 wscript.exe 1 2->14         started        16 wscript.exe 1 2->16         started        18 2 other processes 2->18 signatures3 process4 signatures5 141 Wscript starts Powershell (via cmd or directly) 11->141 20 powershell.exe 14 18 11->20         started        25 powershell.exe 14->25         started        27 powershell.exe 16->27         started        29 powershell.exe 18->29         started        31 powershell.exe 18->31         started        process6 dnsIp7 113 paste.ee 188.114.96.7, 443, 49741 CLOUDFLARENETUS European Union 20->113 105 C:\Users\Public\ZmfST.PS1, UTF-8 20->105 dropped 131 Drops VBS files to the startup folder 20->131 133 Compiles code for process injection (via .Net compiler) 20->133 33 powershell.exe 27 20->33         started        37 conhost.exe 20->37         started        115 192.168.2.1 unknown unknown 25->115 135 Writes to foreign memory regions 25->135 137 Injects a PE file into a foreign processes 25->137 39 csc.exe 25->39         started        45 3 other processes 25->45 41 csc.exe 27->41         started        48 5 other processes 27->48 43 csc.exe 29->43         started        50 3 other processes 29->50 107 C:\Users\user\AppData\Local\...\lvmf0mb1.0.cs, C++ 31->107 dropped 52 2 other processes 31->52 file8 signatures9 process10 dnsIp11 91 C:\Users\user\AppData\Roaming\Task.bat, DOS 33->91 dropped 93 C:\Users\user\AppData\...\SystemLoginHost.vbs, ASCII 33->93 dropped 95 C:\Users\user\...\MicrosoftSystemHandler.vbs, ASCII 33->95 dropped 119 Writes to foreign memory regions 33->119 121 Injects a PE file into a foreign processes 33->121 54 cmd.exe 1 33->54         started        67 2 other processes 33->67 97 C:\Users\user\AppData\Local\...\ducxww5z.dll, PE32 39->97 dropped 57 cvtres.exe 39->57         started        99 C:\Users\user\AppData\Local\...\o4nylufj.dll, PE32 41->99 dropped 59 cvtres.exe 41->59         started        101 C:\Users\user\AppData\Local\...\lm0trgfg.dll, PE32 43->101 dropped 61 cvtres.exe 43->61         started        117 n0fuzga.publicvm.com 45->117 63 cmd.exe 45->63         started        71 2 other processes 48->71 73 2 other processes 50->73 65 conhost.exe 52->65         started        file12 signatures13 process14 dnsIp15 139 Uses schtasks.exe or at.exe to add and modify task schedules 54->139 75 schtasks.exe 1 54->75         started        77 conhost.exe 54->77         started        79 conhost.exe 63->79         started        81 timeout.exe 63->81         started        111 n0fuzga.publicvm.com 185.19.85.168, 49752, 49767, 49769 DATAWIRE-ASCH Switzerland 67->111 103 C:\Users\user\AppData\Local\...\fvdre5nw.dll, PE32 67->103 dropped 83 cvtres.exe 1 67->83         started        85 cmd.exe 67->85         started        file16 signatures17 process18 process19 87 conhost.exe 75->87         started        89 timeout.exe 75->89         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09d937ee537c87196fe5538f70fe3a5645f4cc3c32c21550af9d8ee069b16e26/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-04-08 18:21:05 UTC
File Type:
Text (VBS)
AV detection:
2 of 42 (4.76%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
3959233284f7f4a7bec2a314820e3b8e073591a31dfe8c43a03f7a24833b7fd3
AsyncRAT
3fc706ce01f2ff41e02943699351d1ad3c32160cbd0be0b8bb85f9472303d4c2
AsyncRAT
4e7105da7face5917f66842ba73810d29826cb971140f9da2b0efb7a37de3c0e
AsyncRAT
51e4dce11e58aa2be5d3c73056bf45652de5032dcb29636b28f2c1659df135db
AsyncRAT
a341b8f10a51457c11292173cfa48fe49256c9ccef8ec045753b49b2bfa935d6
AsyncRAT
aa56a644af0010b6d464f52c4409bd09361c20aad28b1400b4e543905f48b798
AsyncRAT
cd67ef7107328d363f55244c2f55fd3bd678da528c77f7d71eaca939acb2f092
AsyncRAT
d04e92c836e2332eb7140720eef09fb85e0a797880a8afbff729244f69c8b46d
AsyncRAT
ec1773386924814a953850ec438551a133c27541b156e6d685d9eda1477a65b4
AsyncRAT
+ 2'119 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat suricata
Link:
https://tria.ge/reports/220408-wza4rschgk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
Malware Config
C2 Extraction:
n0fuzga.publicvm.com:5946
Dropper Extraction:
https://paste.ee/r/ZmfST/0
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/09d937ee537c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09d937ee537c87196fe5538f70fe3a5645f4cc3c32c21550af9d8ee069b16e26

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262218/

Comments