MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6949fa1963aeb69b8ddaf86fd34778f2f9cf02347fb64feb7c61d40786289208. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6949fa1963aeb69b8ddaf86fd34778f2f9cf02347fb64feb7c61d40786289208
SHA3-384 hash: 875ac884396fc997da99ff5f09b35898c5d9c68f8dc845ff3ddecfed135fab7429d5d0fad12153ab30913c425ae09c41
SHA1 hash: 587531bb518df15efcbd7dc29b5874eb1bc0fe22
MD5 hash: 380eea03471d89c60321ab9d2a48282d
humanhash: cat-thirteen-july-wyoming
File name:IDSTATEMENTS.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:558 bytes
First seen:2021-10-27 10:22:10 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:TaVLMUVb9wCJhIgmVeljehfMWUBAzdqsH3d6PSECXg0TC:mV4UvXrp+fMWPnd62QcC
Threatray 160 similar samples on MalwareBazaar
TLSH T12DF05C6FF42FE6D306256907F1E6913E853444C30B90CA7C5116429D4B218767E2987F
Reporter abuse_ch
Tags:AsyncRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection:
asyncrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200463/
Detection(s):
SecuriteInfo.com.Trojan.Agent.FOZQ.6245.18002.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/61792889a9d585e6d53b024f/reports/c26bddbc-58fe-4a73-be2c-c173f6954679/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877617
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Sample uses process hollowing technique
Sigma detected: Suspicious PowerShell Command Line
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6949fa1963aeb69b8ddaf86fd34778f2f9cf02347fb64feb7c61d40786289208/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 10:23:07 UTC
AV detection:
7 of 27 (25.93%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfe7ugldv23jxdo27bx5gr3y6l446arup63e7234mhkapbrisiea._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0b365ef77b8b8ed330a2e48b081a20d9eb5b275b276306e5b51615cf10821fe0
AsyncRAT
414a79e6c87489cb73e9176e867d554788a28ba86cb4e00f3f8fed15400999bd
AsyncRAT
5c023edc2053e7c5d51e392f409b77aa421d36772e785c6107ff36df79ad8916
AsyncRAT
766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e
AsyncRAT
79dbd50c88d7cb8460d8174c4ebca918f8b6f7b5cdde217cb653e649fe042e04
AsyncRAT
ca2f1fd98c74804cf417f07a86db13a71baed4647e919a110a82df0bfba02e85
AsyncRAT
dcb1bbb6f69b880896f615b9ad613ad5f11bea4ddce31f5a18a0616cd600799a
AsyncRAT
ed8d3e6cf2c859be09ee5107a067b3917cabe936706327657a2fc563f12b43b9
AsyncRAT
+ 150 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat suricata
Link:
https://tria.ge/reports/211027-meszeaacdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
ahmed2611.linkpc.net:6666
Dropper Extraction:
https://cdn.discordapp.com/attachments/902578496671453217/902580159704629268/ggg.txt
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6949fa1963ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6949fa1963aeb69b8ddaf86fd34778f2f9cf02347fb64feb7c61d40786289208

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Visual Basic Script (vbs) vbs 6949fa1963aeb69b8ddaf86fd34778f2f9cf02347fb64feb7c61d40786289208

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/200463/

Comments