MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157
SHA3-384 hash: 7104d15a76704c0e23daf57e50b0d9c7488ca56835c5b66d3c08a559549b85cee6b9e4ea73fbec3f7c99ccab481d8a9f
SHA1 hash: 5c7951317700fd35bbfd39499473889c752f9164
MD5 hash: 22bae550672a11587c37ebb8dabeefef
humanhash: beer-three-florida-neptune
File name:trwsfg.ps1
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'954 bytes
First seen:2025-01-01 07:47:02 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:r95cVCsQlPShJCeVrGSqQmVfbE7Qcx3XkzVtc3hx:rcMbSCS38VwX
Threatray 9 similar samples on MalwareBazaar
TLSH T15D41E83C7B35A2A144D345F1707AD78CC46046AB1118CE30B78A89D5BBF5188C2F8A4D
Magika powershell
Reporter JAMESWT_WT
Tags:147-45-44-131 157-20-182-177 185-149-146-164 AsyncRAT booking ps1 Spam-ITA StormKitty VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.19048.25706.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6774f33374a2bd296e24ec3b
Tags:
autorun shell virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
persistence powershell
Link:
https://www.filescan.io/uploads/6774f338108e6fdea94b63db/reports/f7391d6c-26e8-4c0f-aec4-a7ba9c031a2d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157
Result
Verdict:
UNKNOWN
Result
Threat name:
AveMaria, DcRat, KeyLogger, StormKitty,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582969
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Compiles code for process injection (via .Net compiler)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: Powerup Write Hijack DLL
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected BrowserPasswordDump
Yara detected DcRat
Yara detected Generic Downloader
Yara detected Keylogger Generic
Yara detected Powershell download and execute
Yara detected StormKitty Stealer
Yara detected Strela Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582969 Sample: trwsfg.ps1 Startdate: 01/01/2025 Architecture: WINDOWS Score: 100 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 19 other signatures 2->56 9 powershell.exe 14 21 2->9         started        process3 dnsIp4 46 147.45.44.131, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 9->46 40 C:\Windows\Temp\Modules.bat, Unicode 9->40 dropped 42 C:\Users\user\AppData\...\DeleteApp.url, MS 9->42 dropped 68 Found many strings related to Crypto-Wallets (likely being stolen) 9->68 70 Suspicious execution chain found 9->70 72 Found suspicious powershell code related to unpacking or dynamic code loading 9->72 74 Compiles code for process injection (via .Net compiler) 9->74 14 cmd.exe 1 9->14         started        17 conhost.exe 9->17         started        file5 signatures6 process7 signatures8 76 Suspicious powershell command line found 14->76 78 Bypasses PowerShell execution policy 14->78 19 powershell.exe 35 14->19         started        23 cmd.exe 1 14->23         started        process9 file10 36 C:\Users\user\AppData\...\03bjtjx4.cmdline, Unicode 19->36 dropped 38 C:\Users\user\AppData\Local\...\03bjtjx4.0.cs, Unicode 19->38 dropped 58 Found many strings related to Crypto-Wallets (likely being stolen) 19->58 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->60 62 Writes to foreign memory regions 19->62 64 Injects a PE file into a foreign processes 19->64 25 RegAsm.exe 1 3 19->25         started        29 csc.exe 3 19->29         started        32 curl.exe 1 23->32         started        signatures11 process12 dnsIp13 48 157.20.182.177, 4449, 49733 FCNUniversityPublicCorporationOsakaJP unknown 25->48 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->66 44 C:\Users\user\AppData\Local\...\03bjtjx4.dll, PE32 29->44 dropped 34 cvtres.exe 1 29->34         started        file14 signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157/
Threat name:
Script-PowerShell.Trojan.Powdow
Create hunting rule
Status:
Malicious
First seen:
2024-12-29 18:10:24 UTC
File Type:
Text (PowerShell)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2lxlnjdzbj2uni5lazn6l63w2h5vkgal6omm4ujsipqbjtmaflq._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9
AsyncRAT
320db923b7c701a6005e465a082ad48c2f3c8f36145ece15b4980a44202383fe
AsyncRAT
5d8b55532cda3855a8211e70366648a22ef5193dd36931fa61e3393290c2ada9
AsyncRAT
7e129f68ebb1e8730941dcf50344e256bd0e32f29cac0e641426b88a17e131c6
AsyncRAT
ad822394ecd393272d3d1ba77306e502ee90259f4c328dab80e9d6b5e4bd363f
AsyncRAT
b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1
AsyncRAT
error
AsyncRAT
fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c
AsyncRAT
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty discovery execution rat stealer
Link:
https://tria.ge/reports/250101-jm4jbs1qdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks installed software on the system
Drops startup file
Blocklisted process makes network request
Downloads MZ/PE file
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_david_CSC846
Create hunting rule
Author:David
Description:CSC-846 Golang
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

PowerShell (PS) ps1 569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3385065/
  
Delivery method
Distributed via web download

Comments