MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85
SHA3-384 hash: 0941590a3764deb2a9fb5cc4d9690a1fe203257c0625f62118a1e2699b02a3d0d080d964ecf46328946193fb35aa4b94
SHA1 hash: 107e788694216d64c5c02990f035f1d1acb60cf9
MD5 hash: 804513fa0ce051329e04056cdcd334bf
humanhash: bakerloo-jersey-finch-robert
File name:COTIZACIÓN.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:8'938'658 bytes
First seen:2025-03-31 17:28:23 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:DloyjjdVMFZNkNls2vv8hAwxJV837YTUf:lxO7k0hAwHVk
Threatray 38 similar samples on MalwareBazaar
TLSH T17696C8A913F86580B7FB9F0E117962451EBB7DA31DBC92694D1001268D7AF81CEB1B33
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika unknown
Reporter abuse_ch
Tags:AsyncRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-2565.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ead446cfd0a37f830af51e
Tags:
autorun dropper shell sage
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85
Result
Threat name:
AsyncRAT, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1653084
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Paste sharing url in reverse order
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1653084 Sample: COTIZACI#U00d3N.vbs Startdate: 31/03/2025 Architecture: WINDOWS Score: 100 85 paste.ee 2->85 87 textbin.net 2->87 89 bg.microsoft.map.fastly.net 2->89 101 Suricata IDS alerts for network traffic 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 109 21 other signatures 2->109 11 wscript.exe 1 2->11         started        14 powershell.exe 2->14         started        16 powershell.exe 2->16         started        18 powershell.exe 11 2->18         started        signatures3 107 Connects to a pastebin service (likely for C&C) 85->107 process4 signatures5 131 Suspicious powershell command line found 11->131 133 Wscript starts Powershell (via cmd or directly) 11->133 135 Uses schtasks.exe or at.exe to add and modify task schedules 11->135 139 2 other signatures 11->139 20 powershell.exe 7 11->20         started        23 schtasks.exe 1 11->23         started        25 schtasks.exe 1 11->25         started        27 wscript.exe 14->27         started        29 conhost.exe 14->29         started        31 wscript.exe 16->31         started        33 conhost.exe 16->33         started        137 Wscript called in batch mode (surpress errors) 18->137 35 conhost.exe 1 18->35         started        37 wscript.exe 18->37         started        process6 signatures7 111 Suspicious powershell command line found 20->111 113 Encrypted powershell cmdline option found 20->113 115 Bypasses PowerShell execution policy 20->115 119 2 other signatures 20->119 39 powershell.exe 14 19 20->39         started        44 conhost.exe 20->44         started        46 conhost.exe 23->46         started        48 conhost.exe 25->48         started        117 Wscript starts Powershell (via cmd or directly) 27->117 50 powershell.exe 27->50         started        52 powershell.exe 31->52         started        process8 dnsIp9 93 textbin.net 104.21.32.1, 443, 49723, 49729 CLOUDFLARENETUS United States 39->93 95 paste.ee 23.186.113.60, 443, 49725, 49730 KLAYER-GLOBALNL Reserved 39->95 83 C:\Users\user\AppData\Local\Temp\dll03.ps1, Unicode 39->83 dropped 127 Potential dropper URLs found in powershell memory 39->127 54 powershell.exe 15 39->54         started        129 Wscript called in batch mode (surpress errors) 50->129 58 conhost.exe 50->58         started        60 wscript.exe 50->60         started        62 conhost.exe 52->62         started        64 wscript.exe 52->64         started        file10 signatures11 process12 file13 79 __________________...________-------.lnk, MS 54->79 dropped 81 C:\Users\user\AppData\Local\Temp\xx2.vbs, ASCII 54->81 dropped 121 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->121 123 Writes to foreign memory regions 54->123 125 Injects a PE file into a foreign processes 54->125 66 powershell.exe 23 54->66         started        69 MSBuild.exe 54->69         started        72 powershell.exe 11 54->72         started        74 powershell.exe 54->74         started        signatures14 process15 dnsIp16 97 Loading BitLocker PowerShell Module 66->97 76 powershell.exe 1 9 66->76         started        91 196.251.89.167, 49740, 49742, 6900 Web4AfricaZA Seychelles 69->91 99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 69->99 signatures17 process18 signatures19 141 Creates autostart registry keys with suspicious values (likely registry only malware) 76->141 143 Creates autostart registry keys with suspicious names 76->143
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-31 17:29:12 UTC
File Type:
Text (VBS)
AV detection:
4 of 24 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7otpe6uxp46sdst34tgpbeju64c4zor53wphfxlbcfuisqwj6cq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
2810c06ccf0230a24179363862bfd4e88dab05b1b39fb229d75b8f01973fdb80
AsyncRAT
3a07acb9e24dace059cea1a5c9c90f457e3c0d3e823805ae2fd0241d75917fc2
AsyncRAT
3c313c19ce509197f848990ef3837d2fdf55ed5d9eb2ddf2f1cd9f35e41bd664
AsyncRAT
449cfb586898cdc0e432940983eca397fe1fb06d83bc87d51a8ee6a3f5eaa062
AsyncRAT
82f69d218791526f3724c1e6fcf7e73272182067c80f4d037557289863a241aa
AsyncRAT
cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f
AsyncRAT
e38472a309a8c98d56f4d3384be87b4f619f93c8af02ca9c08236e20987b380c
AsyncRAT
error
AsyncRAT
+ 28 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default defense_evasion discovery execution persistence rat
Link:
https://tria.ge/reports/250331-v2lslsxjt4/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Hide Artifacts: Hidden Window
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
196.251.89.167:6900
Dropper Extraction:
https://textbin.net/raw/ezjmofz3s6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments