MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2be211f45f8595e6e9b55ba227173aed35eb1ce53fb119beceb49f236232814d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2be211f45f8595e6e9b55ba227173aed35eb1ce53fb119beceb49f236232814d
SHA3-384 hash: 154a0c0f0e80eac7a65d642a673e4239bd55b60c51abbb0fa64334e79e2707f75c2c44e9b4bfd902a68ce4ed81619bb5
SHA1 hash: 94ca628d187dbae0594eab048c07a8112c61873a
MD5 hash: 0d4462f999e3c38d093df1ce64929df1
humanhash: maryland-fanta-autumn-harry
File name:NEW QUOTE.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:8'938'658 bytes
First seen:2025-04-03 16:13:36 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:nYbHYb3YbHYb3YbHYb3YbHYb3YbHYb3YbHYb3YbHYb3YbHYb3YbHYb3YbHYb3Yb5:8w7kwAYC
Threatray 42 similar samples on MalwareBazaar
TLSH T14296C79173F91249BAB30E0260B123345E7E39A90E3DA96D7920C5198DF2C94DEF4B77
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika asp
Reporter abuse_ch
Tags:AsyncRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/362/
Detection(s):
SecuriteInfo.com.JS.Obfus-2565.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ed014e855e5ec5240c26ae
Tags:
autorun dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive powershell
Link:
https://www.filescan.io/uploads/67eeb3df2d430c849e051088/reports/bb42843b-b959-4058-bb06-79f528027b77/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2be211f45f8595e6e9b55ba227173aed35eb1ce53fb119beceb49f236232814d
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1655856
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Paste sharing url in reverse order
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1655856 Sample: NEW QUOTE.vbs Startdate: 03/04/2025 Architecture: WINDOWS Score: 100 87 textbin.net 2->87 89 paste.ee 2->89 91 2 other IPs or domains 2->91 101 Suricata IDS alerts for network traffic 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 109 20 other signatures 2->109 11 wscript.exe 1 2->11         started        14 powershell.exe 2->14         started        16 powershell.exe 2->16         started        18 powershell.exe 11 2->18         started        signatures3 107 Connects to a pastebin service (likely for C&C) 89->107 process4 signatures5 135 Suspicious powershell command line found 11->135 137 Wscript starts Powershell (via cmd or directly) 11->137 139 Uses schtasks.exe or at.exe to add and modify task schedules 11->139 143 2 other signatures 11->143 20 powershell.exe 7 11->20         started        23 schtasks.exe 1 11->23         started        25 schtasks.exe 1 11->25         started        27 MpCmdRun.exe 11->27         started        29 wscript.exe 14->29         started        31 conhost.exe 14->31         started        33 wscript.exe 16->33         started        35 conhost.exe 16->35         started        141 Wscript called in batch mode (surpress errors) 18->141 37 2 other processes 18->37 process6 signatures7 111 Suspicious powershell command line found 20->111 113 Encrypted powershell cmdline option found 20->113 115 Bypasses PowerShell execution policy 20->115 119 2 other signatures 20->119 39 powershell.exe 14 19 20->39         started        44 conhost.exe 20->44         started        46 conhost.exe 23->46         started        48 conhost.exe 25->48         started        50 conhost.exe 27->50         started        117 Wscript starts Powershell (via cmd or directly) 29->117 52 powershell.exe 29->52         started        54 powershell.exe 33->54         started        process8 dnsIp9 93 paste.ee 23.186.113.60, 443, 49696, 49698 KLAYER-GLOBALNL Reserved 39->93 95 textbin.net 104.21.80.1, 443, 49695, 49697 CLOUDFLARENETUS United States 39->95 81 C:\Users\user\AppData\Local\Temp\dll03.ps1, Unicode 39->81 dropped 125 Potential dropper URLs found in powershell memory 39->125 56 powershell.exe 15 39->56         started        127 Wscript called in batch mode (surpress errors) 52->127 60 conhost.exe 52->60         started        62 wscript.exe 52->62         started        64 conhost.exe 54->64         started        66 wscript.exe 54->66         started        file10 signatures11 process12 file13 83 __________________...________-------.lnk, MS 56->83 dropped 85 C:\Users\user\AppData\Local\Temp\xx2.vbs, ASCII 56->85 dropped 129 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 56->129 131 Writes to foreign memory regions 56->131 133 Injects a PE file into a foreign processes 56->133 68 powershell.exe 23 56->68         started        71 MSBuild.exe 56->71         started        73 MSBuild.exe 56->73         started        76 3 other processes 56->76 signatures14 process15 dnsIp16 121 Loading BitLocker PowerShell Module 68->121 78 powershell.exe 1 11 68->78         started        123 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 71->123 97 196.251.90.23, 49703, 6900 Web4AfricaZA Seychelles 73->97 99 127.0.0.1 unknown unknown 73->99 signatures17 process18 signatures19 145 Creates autostart registry keys with suspicious values (likely registry only malware) 78->145 147 Creates autostart registry keys with suspicious names 78->147
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2be211f45f8595e6e9b55ba227173aed35eb1ce53fb119beceb49f236232814d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2be211f45f8595e6e9b55ba227173aed35eb1ce53fb119beceb49f236232814d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-04-02 09:20:15 UTC
File Type:
Text (VBS)
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fprbd5c7qwk6n2nvlorcofz25u26whhfh6yrtpwowspsgyrsqfgq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85
AsyncRAT
19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1
AsyncRAT
2810c06ccf0230a24179363862bfd4e88dab05b1b39fb229d75b8f01973fdb80
AsyncRAT
3a07acb9e24dace059cea1a5c9c90f457e3c0d3e823805ae2fd0241d75917fc2
AsyncRAT
3c313c19ce509197f848990ef3837d2fdf55ed5d9eb2ddf2f1cd9f35e41bd664
AsyncRAT
8efa4b4e70869e4c2c7119e5c1518c8166141e6376d7d95768b932fe083bc1ae
AsyncRAT
cdc2106e6e47fe9e06e5c1b655b8428706cf3db33e31b854ddf3e1269d9c7978
AsyncRAT
cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f
AsyncRAT
e38472a309a8c98d56f4d3384be87b4f619f93c8af02ca9c08236e20987b380c
AsyncRAT
error
AsyncRAT
+ 32 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default defense_evasion discovery execution persistence rat
Link:
https://tria.ge/reports/250403-tqfa1syxb1/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Hide Artifacts: Hidden Window
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
196.251.90.23:6900
127.0.0.1:6900
Dropper Extraction:
https://textbin.net/raw/ezjmofz3s6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2be211f45f8595e6e9b55ba227173aed35eb1ce53fb119beceb49f236232814d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/362/

Comments