MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6308f3eef2d45148c4544a0c31d5bb73f28dac4b6fcb854e003e2caa0c39d26f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	6308f3eef2d45148c4544a0c31d5bb73f28dac4b6fcb854e003e2caa0c39d26f
SHA3-384 hash:	0ae5a0809a91f355450b9a75047bf82156a2e0126c3946d6d5832950f57fcf35bf76f95a994722fa2451a425a2876286
SHA1 hash:	7f536fa9c3972c4416e8620335e39f9e93092103
MD5 hash:	90c3dfd74d6ab4b7b98777930ab44a23
humanhash:	floor-wyoming-winter-december
File name:	sasa.bat
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	7'229 bytes
First seen:	2024-08-05 04:22:59 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	12:b4tdk5jtnrC0yyGyDF98oul666666666666HW4xmBWp/CR898U7LtaJO20c1H:b4/otrlyRKubxwWRCRKpJD8H
TLSH	T17BE157CD210650554272916CCF39D54E679A53F43864E8B0FF1B30C6D5C8CDB8B9B6B4
Reporter	lontze7
Tags:	AsyncRAT bat Downloader

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

Vendor Threat Intelligence

Malware family:

asyncrat

ID:

File name:

sasa.bat

Verdict:

Malicious activity

Analysis date:

2024-08-05 04:25:14 UTC

Tags:

opendir loader rat asyncrat remote

Link:

https://app.any.run/tasks/a79be57d-cb4e-4e00-baa2-4db3337e5fc0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66b053aa037b02d0daeda29e

Tags:

Execution Network Stealth Trojan

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/6308f3eef2d45148c4544a0c31d5bb73f28dac4b6fcb854e003e2caa0c39d26f

Result

Verdict:

MALICIOUS

Result

Threat name:

AsyncRAT, DcRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1487775

Signature

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Found malware configuration

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Powershell drops PE file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: PowerShell DownloadFile

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download and execute files (via powershell)

Yara detected AsyncRAT

Yara detected DcRat

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6308f3eef2d45148c4544a0c31d5bb73f28dac4b6fcb854e003e2caa0c39d26f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6308f3eef2d45148c4544a0c31d5bb73f28dac4b6fcb854e003e2caa0c39d26f/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mmeph3xs2riurrcujigddvn3opzi3lcln7fyktqahywkudbz2jxq._file

Verdict:

malicious

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default execution rat

Link:

https://tria.ge/reports/240805-ezs6xawhpr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Executes dropped EXE

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

127.0.0.1:1024
20.199.84.103:1024

Dropper Extraction:

http://20.199.84.103/Client.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6308f3eef2d45148c4544a0c31d5bb73f28dac4b6fcb854e003e2caa0c39d26f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

bat 6308f3eef2d45148c4544a0c31d5bb73f28dac4b6fcb854e003e2caa0c39d26f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3088897/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample