MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 575f435562373b4f11c97062d83951aa5cee11653094d213c90fa2666c997f7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 575f435562373b4f11c97062d83951aa5cee11653094d213c90fa2666c997f7a
SHA3-384 hash: 11c245bdeaacdb7609cc93492312a3792f2245bcd5b8234eeba436f4fa47cb1966f59a6671a735c85fc3dea0c5095684
SHA1 hash: 683101631e04a43b687ec8e76f9381e327bb16e0
MD5 hash: 2e987d06a0eca2ef3469da1dd3147617
humanhash: enemy-spaghetti-oklahoma-west
File name:Invoice #451162237.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:54'583 bytes
First seen:2022-04-26 09:31:24 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:Hlk53sRfRdgPQ3FNE3ebNA3pN6N1kjJi6BFvYNsCvALNOQjx:Fk53sRJZD9NhoxOQl
Threatray 7'594 similar samples on MalwareBazaar
TLSH T17B336442FC074839D4720676AC17547DCB630043B2616AA5BA8CF1D50FB7B2DE9FEA68
Reporter pr0xylife
Tags:AsyncRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266704/
Detection(s):
SecuriteInfo.com.VBS.TrojanDownloader.Agent.XBI.8160.9292.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cscript.exe
Link:
https://www.filescan.io/uploads/6267bc120ff818635615db73/reports/894725b9-1290-4082-83f1-3259ef2623c9/overview
Result
Verdict:
UNKNOWN
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
AsyncRAT DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/983099
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected DcRat
Yara detected RUNPE
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615583 Sample: Invoice #451162237.vbs Startdate: 26/04/2022 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 11 other signatures 2->75 10 wscript.exe 3 1 2->10         started        14 wscript.exe 2->14         started        process3 dnsIp4 67 SQL8001.site4now.net 199.102.48.251, 1433, 49743 ZCOLO-LAS01US United States 10->67 89 System process connects to network (likely due to code injection or exploit) 10->89 91 Wscript starts Powershell (via cmd or directly) 10->91 16 powershell.exe 14 18 10->16         started        21 powershell.exe 14->21         started        signatures5 process6 dnsIp7 61 pastetext.net 188.114.96.7, 443, 49771 CLOUDFLARENETUS European Union 16->61 51 C:\Users\Public\akwmckua5u.PS1, UTF-8 16->51 dropped 77 Drops VBS files to the startup folder 16->77 79 Compiles code for process injection (via .Net compiler) 16->79 23 powershell.exe 24 16->23         started        27 conhost.exe 16->27         started        53 C:\Users\user\AppData\Local\...\mmf5rblc.0.cs, C++ 21->53 dropped 81 Writes to foreign memory regions 21->81 83 Injects a PE file into a foreign processes 21->83 29 csc.exe 21->29         started        31 conhost.exe 21->31         started        33 AppLaunch.exe 21->33         started        file8 signatures9 process10 file11 57 C:\Users\user\...\SystemSoundLogin.vbs, ASCII 23->57 dropped 85 Writes to foreign memory regions 23->85 87 Injects a PE file into a foreign processes 23->87 35 csc.exe 3 23->35         started        38 AppLaunch.exe 2 4 23->38         started        59 C:\Users\user\AppData\Local\...\mmf5rblc.dll, PE32 29->59 dropped 41 cvtres.exe 29->41         started        signatures12 process13 dnsIp14 55 C:\Users\user\AppData\Local\...\prlzzlf4.dll, PE32 35->55 dropped 43 cvtres.exe 1 35->43         started        63 crazydns.linkpc.net 91.193.75.189, 49785, 49805, 5900 DAVID_CRAIGGG Serbia 38->63 65 192.168.2.1 unknown unknown 38->65 45 cmd.exe 38->45         started        file15 process16 process17 47 conhost.exe 45->47         started        49 timeout.exe 45->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/575f435562373b4f11c97062d83951aa5cee11653094d213c90fa2666c997f7a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-26 05:51:12 UTC
File Type:
Text (VBS)
AV detection:
5 of 41 (12.20%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
2534eecca5ed157444298473d7c9c82d9def5b0a93ac581b75dede2f1a0c0a56
AsyncRAT
4e7105da7face5917f66842ba73810d29826cb971140f9da2b0efb7a37de3c0e
AsyncRAT
63ca532a13ff909b4b7f72b9a094fa3fc59713984f645664c95a66f14be5f96a
AsyncRAT
682d0715a72ba27e0b0fe217b30adb446500758b97dc8fa603727b490f6fb60f
AsyncRAT
992dffa683d5a6e02b1bc40a2447a7cbfa03eab11adf8f9a5ff2b1d18cec7c93
AsyncRAT
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
AsyncRAT
bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75
AsyncRAT
d0ba38de7fbef35868d1f321a5d193c8c3689d167e9c10af7075fd67903347d2
AsyncRAT
edfb9fccf0853fad2647060eb93a4c097c76c86e689c004cc0dfc9e897a1024a
AsyncRAT
+ 7'584 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/220426-lhlh3abha4/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
crazydns.linkpc.net:5900
Dropper Extraction:
https://pastetext.net/raw/akwmckua5u
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/575f435562373b4f11c97062d83951aa5cee11653094d213c90fa2666c997f7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266704/

Comments