MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7497c530f92f52b36c6ed172862fda4ff7bbc1392f14d22283dec82463c871eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7497c530f92f52b36c6ed172862fda4ff7bbc1392f14d22283dec82463c871eb
SHA3-384 hash: 7f110b33badd02284aaabf65c1f5b17160c158b9f9b27ae18e26e41dcd0bffc1c19290ecc72a20879bd0a6ac656286e5
SHA1 hash: 80a500d541a77f46ff341a4694973d4a2dc2d9cd
MD5 hash: b51e5cf586eeea8ad6f731d60dc774c9
humanhash: carolina-nitrogen-magazine-magnesium
File name:1534651 00 53 Juzgado 13 Laboral Circuito de Bogota DENUNCIA LABORAL ADMINISTRATIVO POR INCUMPLIMIENTO.js
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:801'750 bytes
First seen:2025-07-24 19:21:00 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 1536:qw82IzDHnBdpX8xOabzCdhU0HWK1kqjh/ZuXa59GOzT9jAXct+59pIOcsTw+Zkhm:/
Threatray 87 similar samples on MalwareBazaar
TLSH T19A055EB3254841E6AA3A4FE78B1FD4CE518503128775F5F5CB23DC69D29EE80A1B4B38
Magika javascript
Reporter smica83
Tags:AsyncRAT js

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688287bfaf3050dc8d307fd9
Tags:
obfuscate xtreme spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/688287b67bc45bdee1b82412/reports/41e0fb24-ce7d-4d88-8a89-1837e7dffe6c/overview
Verdict:
Malicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/7497c530f92f52b36c6ed172862fda4ff7bbc1392f14d22283dec82463c871eb
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1743664
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1743664 Sample: PLIMIENTO.js Startdate: 24/07/2025 Architecture: WINDOWS Score: 100 24 feb18.freeddns.org 2->24 26 www.pastery.net 2->26 28 7 other IPs or domains 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 15 other signatures 2->42 8 wscript.exe 1 1 2->8         started        signatures3 process4 dnsIp5 30 www.pastery.net 104.21.112.1, 443, 49691, 49696 CLOUDFLARENETUS United States 8->30 44 System process connects to network (likely due to code injection or exploit) 8->44 46 JScript performs obfuscated calls to suspicious functions 8->46 48 Suspicious powershell command line found 8->48 50 4 other signatures 8->50 12 powershell.exe 14 16 8->12         started        signatures6 process7 dnsIp8 32 files.catbox.moe 108.181.20.35, 443, 49693 ASN852CA Canada 12->32 52 Writes to foreign memory regions 12->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 12->54 56 Injects a PE file into a foreign processes 12->56 16 MSBuild.exe 1 2 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 22 feb18.freeddns.org 178.73.192.14, 49697, 8848 PORTLANEwwwportlanecomSE Sweden 16->22 34 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->34 signatures12
Score:
9%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/7497c530f92f52b36c6ed172862fda4ff7bbc1392f14d22283dec82463c871eb
Gathering data
Detection:
dcrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7497c530f92f52b36c6ed172862fda4ff7bbc1392f14d22283dec82463c871eb/
Verdict:
Malicious
Threat:
HEUR:Trojan-Downloader.Script
Link:
https://tip.neiki.dev/file/7497c530f92f52b36c6ed172862fda4ff7bbc1392f14d22283dec82463c871eb
Threat name:
Script-JS.Backdoor.Asyncrat
Create hunting rule
Status:
Suspicious
First seen:
2025-07-24 18:23:08 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=osl4kmhzf5jlg3do2fziml62j733xqjzf4kneiud33eciy6iohvq._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
dcrat
Create hunting rule
Similar samples:
15c37fc34c843c04dd97fdb40a9c767c0964a02ee7c0d9b22fd67a85fcf39a8a
AsyncRAT
7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c
AsyncRAT
7c7a5c31bd9e844edac24329f239aaae326586fdcc4987b8dcdfbcf8dc20cb0a
AsyncRAT
81bbf492816fdf74123d81ae5f01d85764f9be418fe4930e7c569fcdff1b3787
AsyncRAT
a8fcd268b48c903e21500439d6754500d59d12d7d5d4e2c7ea737661fa8fe230
AsyncRAT
d79a750ee167a5091e3b3d72a7d0e818e4eb816d74cbf173bc65c54f8563f986
AsyncRAT
error
AsyncRAT
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250724-x2v3dsszhy/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://files.catbox.moe/vpp8pf.bmp
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/7497c530f92f52b36c6ed172862fda4ff7bbc1392f14d22283dec82463c871eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments