MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10
SHA3-384 hash: 200ec9b9d960cd22cdd21a329ff0050cb513305ab4a339f16c5427372f420f270b26a31f7ed5f68ef289b5706625adb5
SHA1 hash: 158a8e3b278affe7c1185aad67683e4253cf53dd
MD5 hash: bb445d197063475c8d78de4f0825753c
humanhash: sink-pip-item-carolina
File name:gqub.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:3'495 bytes
First seen:2025-01-01 07:51:18 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24:wuuFrLntq+ojZlhiF5ovWUiF5l4T6n9HFECs+//t0nuMXvaaHisT0o0r:wRv0lhYivVYwy9/2u8PxS
Threatray 11 similar samples on MalwareBazaar
TLSH T1A1717C02E06DC3F4A244687CF5C831D79B6EFDE35A97FBA049B8C4B4B540C5AE058970
Magika vba
Reporter JAMESWT_WT
Tags:147-45-44-131 157-20-182-177 AsyncRAT bat booking Spam-ITA StormKitty VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
registry.ps1
Verdict:
Malicious activity
Analysis date:
2024-12-30 13:22:56 UTC
Tags:
loader rat asyncrat remote
Link:
https://app.any.run/tasks/a09840e8-aca8-45cf-8b1d-5e5915f913c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6774f4231ada707798251709
Tags:
trojan shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd lolbin powershell
Link:
https://www.filescan.io/uploads/6774f4281a364598ae02e8d9/reports/827588fc-4ec2-4d7e-93e9-1e2e58be8114/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10
Result
Verdict:
UNKNOWN
Result
Threat name:
AveMaria, DcRat, KeyLogger, StormKitty,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582970
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Compiles code for process injection (via .Net compiler)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected BrowserPasswordDump
Yara detected DcRat
Yara detected Generic Downloader
Yara detected Keylogger Generic
Yara detected Powershell download and execute
Yara detected StormKitty Stealer
Yara detected Strela Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582970 Sample: gqub.bat Startdate: 01/01/2025 Architecture: WINDOWS Score: 100 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 16 other signatures 2->50 8 cmd.exe 1 2->8         started        process3 signatures4 54 Suspicious powershell command line found 8->54 56 Bypasses PowerShell execution policy 8->56 11 powershell.exe 14 35 8->11         started        15 cmd.exe 1 8->15         started        17 conhost.exe 8->17         started        process5 file6 36 C:\Users\user\AppData\...\vbemnivw.cmdline, Unicode 11->36 dropped 38 C:\Users\user\AppData\Local\...\vbemnivw.0.cs, Unicode 11->38 dropped 58 Found many strings related to Crypto-Wallets (likely being stolen) 11->58 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->60 62 Writes to foreign memory regions 11->62 64 3 other signatures 11->64 19 RegAsm.exe 11->19         started        22 RegAsm.exe 1 3 11->22         started        25 csc.exe 3 11->25         started        30 2 other processes 11->30 28 curl.exe 1 15->28         started        signatures7 process8 dnsIp9 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->52 40 157.20.182.177, 4449, 49702 FCNUniversityPublicCorporationOsakaJP unknown 22->40 34 C:\Users\user\AppData\Local\...\vbemnivw.dll, PE32 25->34 dropped 32 cvtres.exe 1 25->32         started        42 147.45.44.131, 49699, 49700, 80 FREE-NET-ASFREEnetEU Russian Federation 28->42 file10 signatures11 process12
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=obtojjew3a7odntxvxqgzbukimv3jig5gzfrt3qyifd2kj5rdqia._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9
AsyncRAT
320db923b7c701a6005e465a082ad48c2f3c8f36145ece15b4980a44202383fe
AsyncRAT
569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157
AsyncRAT
5d8b55532cda3855a8211e70366648a22ef5193dd36931fa61e3393290c2ada9
AsyncRAT
7e129f68ebb1e8730941dcf50344e256bd0e32f29cac0e641426b88a17e131c6
AsyncRAT
ad822394ecd393272d3d1ba77306e502ee90259f4c328dab80e9d6b5e4bd363f
AsyncRAT
b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1
AsyncRAT
error
AsyncRAT
fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c
AsyncRAT
+ 1 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty discovery execution rat stealer
Link:
https://tria.ge/reports/250101-jqd3vaypgx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks installed software on the system
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_david_CSC846
Create hunting rule
Author:David
Description:CSC-846 Golang

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments