MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e48003da4e90411347ae5e4945ba9b656a25bc32b23744a8d7f7e8931bdbe6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e48003da4e90411347ae5e4945ba9b656a25bc32b23744a8d7f7e8931bdbe6e
SHA3-384 hash: 3f26c9af748fb812aeb6360323e9b5afeef53cdf72e327e59845c928b54a9cc3a6827f1950c0662373843d5dc2babc6b
SHA1 hash: 3db2b1d34f94cc5d2cc2838fc156b8ef24c9bf0d
MD5 hash: 0ec47428f6f4b7cbe56b8c4a927ed64b
humanhash: alaska-november-harry-happy
File name:AsyncClientee.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:75'429 bytes
First seen:2025-01-30 08:54:03 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:1AFd4ohVZMj7O9swhsuWlKcWE3ZgKvAVIQSG4523UoZK8sEwB71WXikKL0tXLt:1AFLZMeqwhVcz3ZZAOQSG45+UT8sEs1y
TLSH T139732D78CF152B68777735F3718B6628259ACCE1D59842BBDC89B8BC0CB4E1913E04E6
Magika vba
Reporter JAMESWT_WT
Tags:156-253-250-62 AsyncRAT vbs

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.154.35.145:6666 https://threatfox.abuse.ch/ioc/1396148/

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679b3f4229ae628cf42b7cb5
Tags:
asyncrat dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated powershell
Link:
https://www.filescan.io/uploads/679b3e68ebc56cb02ee94a66/reports/c7d6b9b4-be90-4759-b933-55a72c03e5fa/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2e48003da4e90411347ae5e4945ba9b656a25bc32b23744a8d7f7e8931bdbe6e
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1602862
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1602862 Sample: AsyncClientee.vbs Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 79 69NK69.LINKPC.NET 2->79 81 0x0.st 2->81 103 Suricata IDS alerts for network traffic 2->103 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 19 other signatures 2->109 11 wscript.exe 2 2->11         started        15 cmd.exe 2->15         started        17 powershell.exe 26 2->17         started        19 taskkill.exe 1 2->19         started        signatures3 process4 file5 75 C:\Users\user\AppData\Local\Temp\c.bat, ASCII 11->75 dropped 119 VBScript performs obfuscated calls to suspicious functions 11->119 121 Wscript starts Powershell (via cmd or directly) 11->121 123 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->123 125 Suspicious execution chain found 11->125 21 cmd.exe 1 11->21         started        24 cmd.exe 15->24         started        26 conhost.exe 15->26         started        127 Loading BitLocker PowerShell Module 17->127 28 conhost.exe 17->28         started        30 WmiPrvSE.exe 17->30         started        32 conhost.exe 19->32         started        signatures6 process7 signatures8 111 Suspicious powershell command line found 21->111 113 Wscript starts Powershell (via cmd or directly) 21->113 115 Uses cmd line tools excessively to alter registry or file data 21->115 117 Bypasses PowerShell execution policy 21->117 34 cmd.exe 2 21->34         started        37 conhost.exe 21->37         started        39 powershell.exe 24->39         started        41 powershell.exe 24->41         started        43 conhost.exe 24->43         started        45 reg.exe 24->45         started        process9 signatures10 93 Suspicious powershell command line found 34->93 95 Wscript starts Powershell (via cmd or directly) 34->95 97 Uses cmd line tools excessively to alter registry or file data 34->97 47 powershell.exe 14 35 34->47         started        52 powershell.exe 34->52         started        54 conhost.exe 34->54         started        56 reg.exe 34->56         started        99 Loading BitLocker PowerShell Module 39->99 58 csc.exe 39->58         started        60 cmstp.exe 39->60         started        101 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->101 process11 dnsIp12 83 0x0.st 168.119.145.117, 443, 49710, 49879 HETZNER-ASDE Germany 47->83 71 C:\Users\user\AppData\...\1amkhvrp.cmdline, Unicode 47->71 dropped 89 Loading BitLocker PowerShell Module 47->89 62 csc.exe 3 47->62         started        65 cmstp.exe 8 7 47->65         started        85 69NK69.LINKPC.NET 94.154.35.145, 49901, 6666 SELECTELRU Ukraine 52->85 87 156.253.250.62, 49805, 49986, 5000 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 52->87 91 Found suspicious powershell code related to unpacking or dynamic code loading 52->91 73 C:\Users\user\AppData\Local\...\a1cdeulr.dll, PE32 58->73 dropped 67 cvtres.exe 58->67         started        file13 signatures14 process15 file16 77 C:\Users\user\AppData\Local\...\1amkhvrp.dll, PE32 62->77 dropped 69 cvtres.exe 1 62->69         started        process17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2e48003da4e90411347ae5e4945ba9b656a25bc32b23744a8d7f7e8931bdbe6e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e48003da4e90411347ae5e4945ba9b656a25bc32b23744a8d7f7e8931bdbe6e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-01-30 08:19:02 UTC
File Type:
Text (VBS)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fzeaapne5ecbcnd24xsjiw5jwzlkew6dfmrxisunp57ismn5xzxa._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default discovery execution persistence rat
Link:
https://tria.ge/reports/250130-kvf9fayldj/
Behaviour
Kills process with taskkill
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
69NK69.LINKPC.NET:6666
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Visual Basic Script (vbs) vbs 2e48003da4e90411347ae5e4945ba9b656a25bc32b23744a8d7f7e8931bdbe6e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3420655/
  
Delivery method
Distributed via web download

Comments