MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fc706ce01f2ff41e02943699351d1ad3c32160cbd0be0b8bb85f9472303d4c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	3fc706ce01f2ff41e02943699351d1ad3c32160cbd0be0b8bb85f9472303d4c2
SHA3-384 hash:	2af914aaf867e4c705aff598f13015314e1dc9d9644ee053079abc8a6e482ad47e5ee1330ec0d2622b4fa42308079e5a
SHA1 hash:	735c49ec7470bf37b959da51a1a0bd2dcd7fe4e3
MD5 hash:	2e593fb6c2722e2f0fa6ed8552f6bb8f
humanhash:	louisiana-high-wyoming-queen
File name:	0000001239_PDF.vbs
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	440 bytes
First seen:	2021-10-19 09:39:59 UTC
Last seen:	2021-10-19 09:59:02 UTC
File type:	vbs
MIME type:	text/plain
ssdeep	12:SCw9wCJhIgmVeljehfMWUBAzdqsH3wujayCXg0TC:9wtrp+fMWPnwuqQcC
Threatray	151 similar samples on MalwareBazaar
TLSH	T1F9F0DF5FF41F6BD70A217553F1F79125892081064BA4CA7D8222878D4B618663B2507E
Reporter	pr0xylife
Tags:	AsyncRAT vbs

Intelligence

File Origin

# of uploads :

# of downloads :

276

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/198440/

Detection(s):

SecuriteInfo.com.Trojan.Script.Agent.gmbvfx.19697.29832.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

75%

Tags:

powershell

Link:

https://www.filescan.io/uploads/616e927edb358dd15ec39dc0/reports/d02ce3a6-7a2e-4663-bd94-f1f3db14178a/overview

Result

Verdict:

SUSPICIOUS

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/872987

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Creates an undocumented autostart registry key

Found malware configuration

Injects a PE file into a foreign processes

Sigma detected: Suspicious PowerShell Command Line

VBScript performs obfuscated calls to suspicious functions

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3fc706ce01f2ff41e02943699351d1ad3c32160cbd0be0b8bb85f9472303d4c2/

Threat name:

Script-WScript.Downloader.Nemucod

Status:

Malicious

First seen:

2021-10-19 09:40:15 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h7dqntqb6l7udybjinuzguorvu6defqmxuf6bof3qx4uoiyd2tba._file

Verdict:

malicious

Label(s):

asyncrat

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default rat

Link:

https://tria.ge/reports/211019-lnaczsgddj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Blocklisted process makes network request

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

139.28.37.182:5200

Dropper Extraction:

http://135.125.248.37/Bypass1.txt

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3fc706ce01f2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3fc706ce01f2ff41e02943699351d1ad3c32160cbd0be0b8bb85f9472303d4c2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/198440/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample