MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7431c1aba1c01818fdeb98be54f3899329e3b72f6c384cf3c5a01ac12108dc84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7431c1aba1c01818fdeb98be54f3899329e3b72f6c384cf3c5a01ac12108dc84
SHA3-384 hash: 8c00cd97663eab3d69d84037e47f7ece1d0e137344693325725d31834849005c3fcaf3eece096c8fa0eafd3446364e38
SHA1 hash: 1667342ed9b96be9700e2c83c6c92f43024f3396
MD5 hash: 41691b426de8a75b092a398ec758f088
humanhash: foxtrot-mississippi-river-south
File name:ABRIR FACTURA ELECTRONICA GENERADA FVE36721 REVISADO Y APROBADO POR LA DIAN 830073450 MCS CONSULTORIA Y MONITOREO AMBIENTAL S A S (1).js
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:400'023 bytes
First seen:2025-05-13 18:30:06 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:CLzTMoTxKF46Y7qj142lpveLzTMoTxKF46Y7qj142lpb:O1yhHj3vq1yhHj3b
Threatray 111 similar samples on MalwareBazaar
TLSH T1BE84610A6F1160B154F7A35ABE2A8204E5313317945286373AFED6446F72CC4D7BAFE8
Magika javascript
Reporter smica83
Tags:AsyncRAT js

Intelligence

File Origin
# of uploads :
1
# of downloads :
435
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682390e54a59e5a2ce044625
Tags:
xtreme shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/68238fc0322922535cb10324/reports/0c8e8666-9d51-4b45-82b6-b2b70032ac28/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7431c1aba1c01818fdeb98be54f3899329e3b72f6c384cf3c5a01ac12108dc84
Result
Threat name:
AsyncRAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1689271
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Javascript file is likely language aware (will only work on specific systems)
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1689271 Sample: S A S (1).js Startdate: 13/05/2025 Architecture: WINDOWS Score: 100 28 eduardocaballero5070.duckdns.org 2->28 30 paste.ee 2->30 32 3 other IPs or domains 2->32 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 62 17 other signatures 2->62 9 wscript.exe 1 1 2->9         started        13 svchost.exe 1 1 2->13         started        signatures3 58 Uses dynamic DNS services 28->58 60 Connects to a pastebin service (likely for C&C) 30->60 process4 dnsIp5 36 paste.ee 23.186.113.60, 443, 49683, 49684 KLAYER-GLOBALNL Reserved 9->36 64 System process connects to network (likely due to code injection or exploit) 9->64 66 JScript performs obfuscated calls to suspicious functions 9->66 68 Suspicious powershell command line found 9->68 70 3 other signatures 9->70 15 powershell.exe 15 16 9->15         started        38 127.0.0.1 unknown unknown 13->38 signatures6 process7 dnsIp8 40 ia800801.us.archive.org 207.241.230.81, 443, 49686 INTERNET-ARCHIVEUS United States 15->40 42 archive.org 207.241.224.2, 443, 49685 INTERNET-ARCHIVEUS United States 15->42 44 Found Tor onion address 15->44 46 Creates autostart registry keys with suspicious values (likely registry only malware) 15->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->48 50 2 other signatures 15->50 19 jsc.exe 2 15->19         started        22 cmd.exe 1 15->22         started        24 conhost.exe 15->24         started        signatures9 process10 dnsIp11 34 eduardocaballero5070.duckdns.org 181.131.218.182, 49693, 5080 EPMTelecomunicacionesSAESPCO Colombia 19->34 26 conhost.exe 22->26         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7431c1aba1c01818fdeb98be54f3899329e3b72f6c384cf3c5a01ac12108dc84/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-13 18:30:22 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oqy4dk5byambr7pltc7fj44jsmu6hnzpnq4ez46fuanmciii3sca._file
Verdict:
malicious
Label(s):
zgrat
Create hunting rule
Similar samples:
193b0e630f9dcdc6ee0448bd2f9baf8b17928506019ea12e89b681a6799b60a0
AsyncRAT
46bd635e26e21146d449e2032e7771614808a77c315c5d9478067ed9d6d6af2a
AsyncRAT
62c0672bd77beaab3e5546944e23f7db1f66a207d9eecbedcaaebb4bfc47b954
AsyncRAT
81e537dce98cc6dc16ee045eafc374a47a228831fa805a8290bed8115c870bb4
AsyncRAT
cb859f68816f0ced3b81286af4c046aee24df83455e5bccef39d6d1f818cf95f
AsyncRAT
e4846d770eb82608075d3e2d6c3a6754ae5e086327f5f9ea7ff6435b4b042aad
AsyncRAT
error
AsyncRAT
fd324ca4274023352ae7ce6b53dbd06a8cd6ec81653dd0bc0bc0ef7987022485
AsyncRAT
+ 101 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat discovery execution persistence rat
Link:
https://tria.ge/reports/250513-w5lgpafk6x/
Behaviour
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7431c1aba1c01818fdeb98be54f3899329e3b72f6c384cf3c5a01ac12108dc84

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments