MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10d8f2dcaf45c565724f4ff3aecaeef06852e3fd7754ffebf0c3695013549969. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10d8f2dcaf45c565724f4ff3aecaeef06852e3fd7754ffebf0c3695013549969
SHA3-384 hash: 00e16f73b93eb6785c78cab227e98ffa090a882bdc939793ab102e1be8965abe2abf931094eb8f0ab32e487ca65f7632
SHA1 hash: 135fbdfec68441699aa92633f5f58397278a58df
MD5 hash: 1cdf4133930a1a59ba9496a6f10041ad
humanhash: paris-xray-beer-rugby
File name:QUOTATION #8042025.XLS.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'359'304 bytes
First seen:2025-08-04 18:15:09 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:YYwQwIBWride4Ry+3/IMuBf2Z7PilSYwAs1l7FWmcdLfDOVAwCv:YmBgi1huBf20QYwAs1l7FiLfDJ
TLSH T1B155D8833F3CB673ADA44A0F22E70C9D46E6D91E86F234647718CEAF6576195098D0E3
Magika vba
Reporter abuse_ch
Tags:AsyncRAT RAT vbs


Avatar
abuse_ch
AsyncRAT C2:
46.246.12.3:2703

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.246.12.3:2703 https://threatfox.abuse.ch/ioc/1564280/

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18855/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6890f8d80b4775fb21363c62
Tags:
asyncrat vmdetect autorun neshta
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm asyncrat dropper fingerprint macros masquerade njrat njrat obfuscated obfuscated overlay packed rat reg svchost.exe
Link:
https://www.filescan.io/uploads/6890f8d49dbaf6e4b22195e7/reports/b456146a-357f-4c9c-88e7-ebb2af8715dc/overview
Verdict:
Malicious
Labled as:
Trojan.Script.Dropper
Link:
https://www.hybrid-analysis.com/sample/10d8f2dcaf45c565724f4ff3aecaeef06852e3fd7754ffebf0c3695013549969
Result
Threat name:
WSHRat, AsyncRAT, Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1750022
Signature
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected WSHRat
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Drops script or batch files to the startup folder
Found malware configuration
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution
Sigma detected: Drops script at startup location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Register Wscript In Run Key
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Yara detected AsyncRAT
Yara detected Neshta
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1750022 Sample: QUOTATION #8042025.XLS.vbs Startdate: 04/08/2025 Architecture: WINDOWS Score: 100 114 chongmei33.publicvm.com 2->114 116 star-azurefd-prod.trafficmanager.net 2->116 118 6 other IPs or domains 2->118 146 Sigma detected: Register Wscript In Run Key 2->146 148 Suricata IDS alerts for network traffic 2->148 150 Found malware configuration 2->150 152 26 other signatures 2->152 15 wscript.exe 3 2 2->15         started        19 svchost.com 2->19         started        21 svchost.com 2->21         started        23 3 other processes 2->23 signatures3 process4 file5 106 C:\Users\user\AppData\Local\Temp\XMXt.js, ASCII 15->106 dropped 124 Benign windows process drops PE files 15->124 126 Detected WSHRat 15->126 128 VBScript performs obfuscated calls to suspicious functions 15->128 136 4 other signatures 15->136 25 wscript.exe 1 3 15->25         started        130 Wscript called in batch mode (surpress errors) 19->130 28 wscript.exe 19->28         started        132 Multi AV Scanner detection for dropped file 21->132 31 Windows Update.exe 21->31         started        134 Drops executables to the windows directory (C:\Windows) and starts them 23->134 33 svchost.com 23->33         started        35 Windows Update.exe 23->35         started        signatures6 process7 file8 100 C:\Users\user\AppData\Local\...\taudiodg.js, ASCII 25->100 dropped 37 wscript.exe 2 25->37         started        41 wscript.exe 3 2 25->41         started        168 System process connects to network (likely due to code injection or exploit) 28->168 170 Detected WSHRat 28->170 172 Windows Scripting host queries suspicious COM object (likely to drop second stage) 28->172 174 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 28->174 43 svchost.com 31->43         started        176 Wscript called in batch mode (surpress errors) 33->176 45 wscript.exe 33->45         started        signatures9 process10 file11 90 C:\Users\user\AppData\Local\...\svchost.exe, PE32 37->90 dropped 158 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->158 47 svchost.exe 4 37->47         started        51 wscript.exe 41->51         started        53 EXCEL.EXE 80 52 41->53         started        56 Windows Update.exe 43->56         started        signatures12 process13 dnsIp14 108 C:\Users\user\AppData\Local\...\svchost.exe, PE32 47->108 dropped 138 Drops PE files with benign system names 47->138 58 svchost.exe 47->58         started        110 C:\Users\user\AppData\Roaming\svchost.js, ASCII 51->110 dropped 112 C:\Users\user\AppData\Roaming\...\svchost.js, ASCII 51->112 dropped 140 Creates multiple autostart registry keys 51->140 142 Windows Scripting host queries suspicious COM object (likely to drop second stage) 51->142 144 Wscript called in batch mode (surpress errors) 51->144 62 wscript.exe 51->62         started        120 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49758, 49761 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 53->120 65 splwow64.exe 53->65         started        file15 signatures16 process17 dnsIp18 102 C:\Users\user\AppData\...\Windows Update.exe, PE32 58->102 dropped 104 C:\Users\user\AppData\...\tmp3BFB.tmp.bat, DOS 58->104 dropped 166 Creates multiple autostart registry keys 58->166 67 cmd.exe 58->67         started        122 jamesrockky.ydns.eu 46.246.12.3, 2703, 49722, 49729 PORTLANEwwwportlanecomSE Sweden 62->122 file19 signatures20 process21 signatures22 154 Uses schtasks.exe or at.exe to add and modify task schedules 67->154 70 Windows Update.exe 67->70         started        74 conhost.exe 67->74         started        76 timeout.exe 67->76         started        78 2 other processes 67->78 process23 file24 92 C:\Windows\svchost.com, PE32 70->92 dropped 94 C:\Users\user\AppData\...\Windows Update.exe, PE32 70->94 dropped 96 C:\Program Files (x86)\...\pwahelper.exe, PE32 70->96 dropped 98 47 other malicious files 70->98 dropped 160 Creates an undocumented autostart registry key 70->160 162 Drops executable to a common third party application directory 70->162 164 Infects executable files (exe, dll, sys, html) 70->164 80 Windows Update.exe 70->80         started        signatures25 process26 process27 82 svchost.com 80->82         started        file28 88 C:\Windows\directx.sys, ASCII 82->88 dropped 156 Sample is not signed and drops a device driver 82->156 86 cmd.exe 82->86         started        signatures29 process30
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/10d8f2dcaf45c565724f4ff3aecaeef06852e3fd7754ffebf0c3695013549969
Verdict:
Malware
YARA:
1 match(es)
Tags:
AdoDb.stream DeObfuscated Microsoft.xmldom Obfuscated SCRipting.filesystemobject T1059.005 VBScript WScript.Shell
Link:
https://app.malva.re/file/1cdf4133930a1a59ba9496a6f10041ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10d8f2dcaf45c565724f4ff3aecaeef06852e3fd7754ffebf0c3695013549969/
Verdict:
Malicious
Threat:
Trojan.Win32.Crysan
Link:
https://tip.neiki.dev/file/10d8f2dcaf45c565724f4ff3aecaeef06852e3fd7754ffebf0c3695013549969
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-04 18:15:45 UTC
File Type:
Text (VBS)
AV detection:
7 of 37 (18.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdmpfxfpixcwk4spj7z25sxo6buffy75o5kp727qynuvae2utfuq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
neshta
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:neshta family:wshrat botnet:default-aug 25 defense_evasion discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250804-wv9rjatvbw/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Modifies system executable filetype association
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
Async RAT payload
AsyncRat
Asyncrat family
Detect Neshta payload
Neshta
Neshta family
WSHRAT
Wshrat family
Malware Config
C2 Extraction:
jamesrockky.ydns.eu:2703
jamesrockky.ydns.eu:5670
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:5670
umar33myddns.rocks:2703
umar33myddns.rocks:5670
http://chongmei33.publicvm.com:7044
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10d8f2dcaf45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10d8f2dcaf45c565724f4ff3aecaeef06852e3fd7754ffebf0c3695013549969

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18855/

Comments