MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ab15234cdc0baf746b77352e6d47af4643544c48c32653bd215c6e5296b6f3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ab15234cdc0baf746b77352e6d47af4643544c48c32653bd215c6e5296b6f3c
SHA3-384 hash: d767102884cc46138c7d5dc7841f49b2f8396a0ecb726648575466a3e4e5c0dd095202aa027ec966f4b87963e018cedc
SHA1 hash: 1297d77e41665c872d7e6272f73b7ee121c1e8b4
MD5 hash: 487079a3e5cd167fb91c3e3734c40153
humanhash: texas-juliet-delaware-william
File name:EncL.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:3'769 bytes
First seen:2022-02-22 19:01:33 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:JRrjleLz4IYOINpCDwk/pKI7Y/j+hA3herriwx7QkquS/:Llen4IYOsEwk/pIChA3herrvx7QkvS/
Threatray 1'245 similar samples on MalwareBazaar
TLSH T1EA718374B0247AF38D02BD29D4E891731E7734345AFBA582882106371EF9DBA27DA257
Reporter adm1n_usa32
Tags:AsyncRAT vbs


Avatar
adm1n_usa32
extracted from html file and modified so it works as a standalone VBS

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243424/
Detection(s):
SecuriteInfo.com.JS.Trojan.Cryxos.8146.19707.9785.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6215332ea2660f3bb927f581/reports/e0b7d3db-33ba-42f4-a21b-24a2c74e1b42/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944237
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576711 Sample: EncL.vbs Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 12 other signatures 2->66 8 wscript.exe 1 2->8         started        11 cmd.exe 2->11         started        13 cmd.exe 2->13         started        15 wscript.exe 2->15         started        process3 signatures4 80 VBScript performs obfuscated calls to suspicious functions 8->80 82 Wscript starts Powershell (via cmd or directly) 8->82 84 Obfuscated command line found 8->84 90 2 other signatures 8->90 17 powershell.exe 14 25 8->17         started        86 Suspicious powershell command line found 11->86 88 PowerShell case anomaly found 11->88 22 cmd.exe 11->22         started        24 conhost.exe 11->24         started        26 cmd.exe 13->26         started        28 conhost.exe 13->28         started        process5 dnsIp6 54 3.145.46.6, 49744, 80 AMAZON-02US United States 17->54 46 C:\ProgramData\...\WZQNBDSLVGAWPUXJRUVDYE.ps1, ASCII 17->46 dropped 48 C:\ProgramData\...\LZAVOBYIRFWZQZVCTGHPQB.vbs, ASCII 17->48 dropped 50 C:\ProgramData\...\LZAVOBYIRFWZQZVCTGHPQB.ps1, ASCII 17->50 dropped 52 C:\ProgramData\...\LZAVOBYIRFWZQZVCTGHPQB.bat, DOS 17->52 dropped 72 Suspicious powershell command line found 17->72 74 Bypasses PowerShell execution policy 17->74 30 powershell.exe 36 17->30         started        32 conhost.exe 17->32         started        76 Wscript starts Powershell (via cmd or directly) 22->76 78 PowerShell case anomaly found 22->78 34 powershell.exe 22->34         started        37 powershell.exe 26->37         started        file7 signatures8 process9 signatures10 39 wscript.exe 30->39         started        68 Writes to foreign memory regions 34->68 70 Injects a PE file into a foreign processes 34->70 41 aspnet_compiler.exe 34->41         started        44 aspnet_compiler.exe 37->44         started        process11 dnsIp12 56 asyncpcc.duckdns.org 103.151.123.194, 49747, 7841 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 41->56 58 192.168.2.1 unknown unknown 41->58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ab15234cdc0baf746b77352e6d47af4643544c48c32653bd215c6e5296b6f3c/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 19:02:09 UTC
File Type:
Text (VBS)
AV detection:
12 of 28 (42.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkyvengnyc5porvxonjonvd26rsdkrgerqzgko6scxdokklln46a._file
Verdict:
unknown
Similar samples:
067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
AsyncRAT
1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2
AsyncRAT
32060ba18c4ed29f6a441b6193a2e6376bb43c752709558f046e9365b7275559
AsyncRAT
3d030fbfbe328bc4f276d565854f89189094ddb46dc1c6d36e8e9a438227279f
AsyncRAT
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
AsyncRAT
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
AsyncRAT
92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448
AsyncRAT
cdf45f57fd8885bea02e2fcaf7b3a13c3f8185827cee1ef348a22cb36c1886c0
AsyncRAT
dda839584708cdc28f165d0f387a43dbd32b7f56bba0af7c942ee2b751e9ab75
AsyncRAT
eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1
AsyncRAT
+ 1'235 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat suricata
Link:
https://tria.ge/reports/220222-xpr5zadgdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Async RAT payload
AsyncRat
Process spawned unexpected child process
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
asyncmoney.duckdns.org:7829
asyncmoney.duckdns.org:7840
asyncmoney.duckdns.org:7841
asyncmoney.duckdns.org:7842
asyncmoney.duckdns.org:7849
asyncpcc.duckdns.org:7829
asyncpcc.duckdns.org:7840
asyncpcc.duckdns.org:7841
asyncpcc.duckdns.org:7842
asyncpcc.duckdns.org:7849
monedfghsja.duckdns.org:7829
monedfghsja.duckdns.org:7840
monedfghsja.duckdns.org:7841
monedfghsja.duckdns.org:7842
monedfghsja.duckdns.org:7849
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ab15234cdc0baf746b77352e6d47af4643544c48c32653bd215c6e5296b6f3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/64a00bca-ac8b-4a8b-911c-14e06cad6385
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/243424/

Comments