MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4373ec87c988abcb11a483bc9b6225760464b1929a0e1dee1ffcbdd76c1b242c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4373ec87c988abcb11a483bc9b6225760464b1929a0e1dee1ffcbdd76c1b242c
SHA3-384 hash: 08e29fb6798c29687e196ba071e18ff8d756bf03410d7e352672e25c6dbba0392a708c57104d022252c0bd0f5c68a815
SHA1 hash: 9df96d06e535a1ece1efe04513a9d77fc6e65d39
MD5 hash: 5d5fa9db40b4b7484da34c6b8f838a0d
humanhash: lion-cardinal-ceiling-winner
File name:#6454-0027.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:475'150 bytes
First seen:2025-05-08 06:48:48 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:rcMcMccccccMMccc/cMcMccccccMMcccZcccccccMcMccMcccWcccccccMcMccMj:/
Threatray 1'450 similar samples on MalwareBazaar
TLSH T182A47B03D662B5149A61AFADFF50F250E7EEA79BF458D01781E5383A8235B133623CD8
Magika vba
Reporter smica83
Tags:AsyncRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681c545391991ead82b615bd
Tags:
autorun xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated persistence powershell
Link:
https://www.filescan.io/uploads/681c53e2d95f3e34e963c716/reports/2a574fbf-43d4-4289-a7ad-3403620d06dc/overview
Verdict:
Malicious
Labled as:
HEUR_Trojan_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/4373ec87c988abcb11a483bc9b6225760464b1929a0e1dee1ffcbdd76c1b242c
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1684175
Signature
.NET source code contains potential unpacker
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Potential malicious VBS script found (has network functionality)
Sample uses string decryption to hide its real strings
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1684175 Sample: #6454-0027.vbs Startdate: 08/05/2025 Architecture: WINDOWS Score: 100 41 bunnymax2.dynathome.net 2->41 43 bunnymax.bounceme.net 2->43 45 2 other IPs or domains 2->45 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 14 other signatures 2->65 8 wscript.exe 1 2->8         started        11 wscript.exe 1 1 2->11         started        13 wscript.exe 2->13         started        signatures3 process4 signatures5 67 VBScript performs obfuscated calls to suspicious functions 8->67 69 Suspicious powershell command line found 8->69 71 Wscript starts Powershell (via cmd or directly) 8->71 73 3 other signatures 8->73 15 powershell.exe 14 52 8->15         started        20 powershell.exe 15 11->20         started        22 powershell.exe 13->22         started        process6 dnsIp7 49 pybase.com 122.201.127.73, 443, 49719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 15->49 37 C:\ProgramData\Cloud\cloud.ps1, ASCII 15->37 dropped 39 C:\ProgramData\Cloud\cloud.js, ASCII 15->39 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 15->51 53 Loading BitLocker PowerShell Module 15->53 24 conhost.exe 15->24         started        26 schtasks.exe 1 15->26         started        55 Writes to foreign memory regions 20->55 57 Creates a thread in another existing process (thread injection) 20->57 28 RegSvcs.exe 2 20->28         started        31 conhost.exe 20->31         started        33 conhost.exe 22->33         started        35 RegSvcs.exe 22->35         started        file8 signatures9 process10 dnsIp11 47 bunnymax2.dynathome.net 62.146.226.225, 49724, 7707 QSC-AG-IPXDE Germany 28->47
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4373ec87c988abcb11a483bc9b6225760464b1929a0e1dee1ffcbdd76c1b242c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4373ec87c988abcb11a483bc9b6225760464b1929a0e1dee1ffcbdd76c1b242c/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-07 23:02:01 UTC
File Type:
Text (VBS)
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=inz6zb6jrcv4weneqo6jwyrfoycgjmmstihb33q77s65o3a3eqwa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1b0be562bf434314a8d784f0228b72b07fcb4c090c6f06fb16ba6c5af4147b02
AsyncRAT
9ab54668a6e564fc3aba0c68a9eb940c5f1a85e9acebdb1f39f528490ef9abd7
AsyncRAT
adc29eb24db484b14101ce4ab0e8eeda1586009dd65f980e596c8fa45703678c
AsyncRAT
e3922972e0bf6c9b59bf0a4234818b92d9ccecda13d6ad729c86ab6143f79179
AsyncRAT
error
AsyncRAT
fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686
AsyncRAT
+ 1'440 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:donutloader botnet:default agilenet discovery execution loader rat
Link:
https://tria.ge/reports/250508-hlecdabn9s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Async RAT payload
AsyncRat
Asyncrat family
Detects DonutLoader
DonutLoader
Donutloader family
Malware Config
C2 Extraction:
bunnymax.bounceme.net:6606
bunnymax.bounceme.net:7707
bunnymax.bounceme.net:8808
bunnymax2.dynathome.net:6606
bunnymax2.dynathome.net:7707
bunnymax2.dynathome.net:8808
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4373ec87c988abcb11a483bc9b6225760464b1929a0e1dee1ffcbdd76c1b242c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments