MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e8ec031aa14b689b7db1e91d18c309b337427efabaa3385c987f40231ce4d41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	6e8ec031aa14b689b7db1e91d18c309b337427efabaa3385c987f40231ce4d41
SHA3-384 hash:	d1097422745268d107be287cf5f4227de779453a8dc7bcd188ac370c42d7cfcac96ebafd32e20ef08490575bf7139030
SHA1 hash:	f821940a51c9dc0173be487f6604e29836d31bc4
MD5 hash:	898f46f2714d3999b195207765753c19
humanhash:	mockingbird-beryllium-east-football
File name:	Invoice #3291.vbs
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	1'509 bytes
First seen:	2021-11-13 09:50:27 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24:p4OtGAKvzjepfMWPnwJASMVQ6xV3cJeWB23LV7ANAtGApaAdZJA4yoQNAx4hfLOC:egG/vWpMRALxsJDIZ48Gdq9ce4hfB
Threatray	170 similar samples on MalwareBazaar
TLSH	T109318D3CFE6365860D31ED2D936A5EE3CCAC1417CF70E531519943898672875295C06F
Reporter	abuse_ch
Tags:	AsyncRAT vbs

Intelligence

File Origin

# of uploads :

1

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/205432/

Detection(s):

SecuriteInfo.com.PowerShell.DownLoader.1483.26825.31449.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

powershell powershell valyria

Link:

https://www.filescan.io/uploads/618f8a88a00afa9663a608fb/reports/9438e841-b87a-4ff7-a38e-bc1f64594e65/overview

Result

Verdict:

MALICIOUS

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/888178

Signature

.NET source code contains potential unpacker

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Obfuscated command line found

Sigma detected: Change PowerShell Policies to a Unsecure Level

Sigma detected: Suspicious PowerShell Command Line

Uses dynamic DNS services

VBScript performs obfuscated calls to suspicious functions

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AsyncRAT

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e8ec031aa14b689b7db1e91d18c309b337427efabaa3385c987f40231ce4d41/

Threat name:

Script-WScript.Trojan.Valyria

Status:

Malicious

First seen:

2021-11-13 01:47:34 UTC

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n2hmamnkcs3itn63d2i5ddbqtmzxij7pvovdhbojq72aemoojvaq._file

Verdict:

malicious

Label(s):

asyncrat

Similar samples:

043624c213f4575f22c66f72f20dd68a1126363beefd8d1c7c5c0d82a5a556ce

3959233284f7f4a7bec2a314820e3b8e073591a31dfe8c43a03f7a24833b7fd3

3fc706ce01f2ff41e02943699351d1ad3c32160cbd0be0b8bb85f9472303d4c2

6d392e6956913772c10d49c5a64933b5bbc17d66a8ce02e5ed6716141af438ed

96fa5508157c3e0b18ccaa02417198c62816e549791997efd29dbcb8801e0db0

a341b8f10a51457c11292173cfa48fe49256c9ccef8ec045753b49b2bfa935d6

bdcaf31f882353b75031d1d7353085ff529612bec3a62e462fa3086d2a79bb85

caf35ea9298dd671604af5920dccb89362fee4a67b24f8bfe73e12ceedc91504

ec1bac96e2d3cf5025030b902468c360b6d408442ae94b1080cd899d2e617f57

+ 160 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:re-invite rat

Link:

https://tria.ge/reports/211113-lvhb6sbghr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Blocklisted process makes network request

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

petrol-chem108.duckdns.org:4021

Dropper Extraction:

http://3.134.115.127/couna/bypass.txt

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

URLhaus

https://urlhaus.abuse.ch/host/3.134.115.127/

Cape

Cape

https://www.capesandbox.com/analysis/205432/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample