MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61
SHA3-384 hash: e19ba9a3ae27540a1490cec1f50ba51fac8741f6adf7af4e1aa860d53b4db1bc3a313d10de40536fe5c0c5679adbf930
SHA1 hash: 9238a4986ac66a7b5ba1f9743c602f41c203d8b2
MD5 hash: 1b0551c9ae613b922e576b1e5579678c
humanhash: london-delaware-juliet-robin
File name:YT View Bot.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:11'049'962 bytes
First seen:2022-12-16 02:36:44 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:8UZoNdFyVleMmcjbM8S+T9exgshH8W48Os02iblQl2CLNTvNKM76qNAbB/Kx2ftu:Q
Threatray 3'491 similar samples on MalwareBazaar
TLSH T11EB633609E787EAE4628832C607F5F5C27B01FD4C01CF1EB5BD474C75AAA781492B9B8
Reporter Anonymous
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
YT View Bot.bat
Verdict:
Suspicious activity
Analysis date:
2022-12-16 02:38:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd04880d-5b90-4be1-8d8a-1b8a0590d251

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346839/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
warp
Link:
https://www.filescan.io/uploads/639bd9cf13ee305535a80392/reports/e12963b2-3847-43d9-a24c-a85a600422b3/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1135439
Signature
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Powershell drops PE file
Renames powershell.exe to bypass HIPS
Self deletion via cmd or bat file
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 768169 Sample: YT View Bot.bat Startdate: 16/12/2022 Architecture: WINDOWS Score: 100 63 Vi7tual-62894.portmap.host 2->63 75 Suspicious powershell command line found 2->75 77 Very long command line found 2->77 79 Self deletion via cmd or bat file 2->79 81 2 other signatures 2->81 10 cmd.exe 2 2->10         started        14 $sxr-powershell.exe 12 2->14         started        signatures3 process4 file5 61 C:\Users\user\Desktop\YT View Bot.bat.exe, PE32+ 10->61 dropped 93 Uses ping.exe to sleep 10->93 95 Uses ping.exe to check the status of other devices and networks 10->95 97 Renames powershell.exe to bypass HIPS 10->97 16 YT View Bot.bat.exe 1 19 10->16         started        20 conhost.exe 10->20         started        99 Powershell drops PE file 14->99 22 conhost.exe 14->22         started        signatures6 process7 file8 53 C:\Windows\$sxr-powershell.exe, PE32+ 16->53 dropped 65 Suspicious powershell command line found 16->65 67 Very long command line found 16->67 69 Self deletion via cmd or bat file 16->69 71 6 other signatures 16->71 24 $sxr-powershell.exe 11 16->24         started        28 dllhost.exe 16->28         started        30 cmd.exe 16->30         started        32 2 other processes 16->32 signatures9 process10 file11 55 C:\Windows\System32\vcruntime140d.dll, PE32+ 24->55 dropped 57 C:\Windows\System32\vcruntime140_1d.dll, PE32+ 24->57 dropped 59 C:\Windows\System32\ucrtbased.dll, PE32+ 24->59 dropped 83 Writes to foreign memory regions 24->83 85 Modifies the context of a thread in another process (thread injection) 24->85 87 Injects a PE file into a foreign processes 24->87 89 Creates a thread in another existing process (thread injection) 28->89 34 winlogon.exe 28->34 injected 36 lsass.exe 28->36 injected 38 svchost.exe 28->38 injected 48 2 other processes 28->48 91 Uses ping.exe to sleep 30->91 40 conhost.exe 30->40         started        42 PING.EXE 30->42         started        44 taskkill.exe 30->44         started        46 attrib.exe 30->46         started        signatures12 process13 process14 50 dllhost.exe 34->50         started        signatures15 73 Creates a thread in another existing process (thread injection) 50->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eenlwe4p3ng7mfnotwl2hh6qnqu5ofanulvfdevlsk3ozfhazvqq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
00e3eebe4bbea52843a8d335bdf5e4b5d6c8de8079f8d86a345cceb2375ccb25
AsyncRAT
0c46021aa8d5a1164ee93248ea12f42e05612006943fb9bf32d2d4fbd4a9dcbc
AsyncRAT
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d
AsyncRAT
2bcc9de5864db2565584eff71620b53404d35d6bf24b6971be671d82a3b552dd
AsyncRAT
344bfda08e4286ce26dbea13bc9e48892f297e8fb74c1c5eec47a6a2047da3be
AsyncRAT
5a94c5fee27b53c98286774dddf29892ee25e6326e1db3e22db264766af39889
AsyncRAT
bf45d7d41cf421da9cf70d0616d2e2ed599829a190fbfc6b6fd1170cecc5657a
AsyncRAT
cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
AsyncRAT
+ 3'481 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221216-c35yrsea23/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/346839/

Comments