MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bb1027dee18e8500c765590c51fefa9210707bbc8755331a1df66f760a7e061. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bb1027dee18e8500c765590c51fefa9210707bbc8755331a1df66f760a7e061
SHA3-384 hash: f95bd9aaa578b309001f96328c945578d8963403a75e089b84f6fbce0de6b82d08a5df79ddd416c931fe0b837804d020
SHA1 hash: dabe5e0a59c90666e3fabf386bd55d6023666a1d
MD5 hash: d5289993471885326cd2e10cf6eb043f
humanhash: venus-cat-finch-oven
File name:NOTEPAD.BAT
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:539 bytes
First seen:2022-03-24 07:02:46 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 12:U7TyRxcqeHSMaseHSMSM6cCv1xCn7Exrx51LHr1LHkSMrxPk1EtT7vieHSMExa:U7mRxcqeHX5eHXX6cSCn7ExN51Lr1LkJ
TLSH T113F0C2248E8A7A0AE00C91D97062C925C7CBEC3E38EE3D4B28C473B405C1A2CDF82157
Reporter ankit_anubhav
Tags:AsyncRAT latamhotel TA558

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
l444ol.bat
Verdict:
No threats detected
Analysis date:
2022-03-24 06:14:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3920767f-b51a-4d6b-9ccd-9af60d62e72b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/623c17bedfdfa8501cd71e4d/reports/d2eaa44e-e021-4607-bb24-773e79c4a646/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964182
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Windows Shell File Write to Suspicious Folder
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596663 Sample: NOTEPAD.BAT Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 8 other signatures 2->57 7 powershell.exe 14 17 2->7         started        11 cmd.exe 1 2->11         started        13 mshta.exe 21 2->13         started        15 cmd.exe 1 2->15         started        process3 dnsIp4 43 unimed-corporated.com 7->43 45 192.168.2.1 unknown unknown 7->45 59 Writes to foreign memory regions 7->59 61 Injects a PE file into a foreign processes 7->61 17 MSBuild.exe 2 7->17         started        20 conhost.exe 7->20         started        22 MSBuild.exe 7->22         started        63 Uses schtasks.exe or at.exe to add and modify task schedules 11->63 24 mshta.exe 21 11->24         started        27 conhost.exe 11->27         started        47 www.unimed-corporated.com 13->47 49 unimed-corporated.com 13->49 29 schtasks.exe 1 15->29         started        31 conhost.exe 15->31         started        signatures5 process6 dnsIp7 35 googleservice64.ddns.net 141.255.146.167, 2019 IELOIELOMainNetworkFR France 17->35 37 cdtopicadasgalaxias.ddns.net 17->37 39 unimed-corporated.com 92.249.45.99, 443, 49738, 49751 AS-HOSTINGERLT Germany 24->39 41 www.unimed-corporated.com 24->41 65 Creates processes via WMI 24->65 33 conhost.exe 29->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bb1027dee18e8500c765590c51fefa9210707bbc8755331a1df66f760a7e061/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6bb1027dee18e8500c765590c51fefa9210707bbc8755331a1df66f760a7e061

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments