MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75455f8fe0ddf7a4cc93ea0072c3786bb4ec968930f182ccfcb4474c44d62484. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 7 File information Comments

SHA256 hash:	75455f8fe0ddf7a4cc93ea0072c3786bb4ec968930f182ccfcb4474c44d62484
SHA3-384 hash:	8d642ec1a153a010ef2d38ee7fbc17384c5ff704b633ae9dde2586f0e3d070291f7a3af648d637a8525949383e669ef1
SHA1 hash:	274ad248f1a7669b8453fa09ede42ec339115cff
MD5 hash:	f2078386fd781f11b00cace49f7217c1
humanhash:	missouri-blossom-six-kilo
File name:	ZHDJFEB83MK.vbs
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	730 bytes
First seen:	2021-08-27 16:30:45 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	12:0ChGF2MBNBXNoxAbOJk82cG2bwELPdg3Nfd+aaiTC:HgF2SNBXQXG2UE7kNEuC
Threatray	1'204 similar samples on MalwareBazaar
TLSH	T18E012B0A4D29CDDB0049F19202D34DE9C6704BA74F807E7A247479476CAD22F6DCCD87
Reporter	abuse_ch
Tags:	AsyncRAT RAT vbs

abuse_ch

AsyncRAT C2:
103.147.185.192:7840

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
103.147.185.192:7840	https://threatfox.abuse.ch/ioc/201082/

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/182960/

Detection(s):

SecuriteInfo.com.ISB.Downloadergen76.25228.27928.UNOFFICIAL

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/840520

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Creates an undocumented autostart registry key

Found malware configuration

Injects a PE file into a foreign processes

Obfuscated command line found

Sigma detected: Suspicious PowerShell Command Line

Sigma detected: Suspicious PowerShell Keywords

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

VBScript performs obfuscated calls to suspicious functions

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AsyncRAT

Yara detected MSILLoadEncryptedAssembly

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/75455f8fe0ddf7a4cc93ea0072c3786bb4ec968930f182ccfcb4474c44d62484/

Threat name:

Script.Downloader.Heuristic

Status:

Malicious

First seen:

2021-08-27 16:31:14 UTC

AV detection:

3 of 45 (6.67%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ovcv7d7a3x32jtet5iahfq3yno2ozfujgdyyfth4wrduyrgwesca._file

Verdict:

malicious

Label(s):

asyncrat

AsyncRAT

220bb2b7deba41f53a8d86d677691aff283314a29c27cc49b2ba396699237825

AsyncRAT

438e8f8d626ca18bb5fbd3499cad058033b199c865badba6415e362d5b8dcd49

AsyncRAT

87b7b68ed10c1e85866fc17772627f0577d6f6e578ee8a36a0fb598e46c78cd0

AsyncRAT

b51c07d9a4e50ac499514d378320260821bd7486acd1077a6bddf8ab70c6a2b3

AsyncRAT

bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de

AsyncRAT

ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611

AsyncRAT

ecb8839117d73d33390c84f7f6e02f4970156ccb2da7b48083922f60625fa8be

AsyncRAT

fee6cda76d8c5b289b76deba1176049e529f51ac06f817a8a22ec77b17d74f35

AsyncRAT

+ 1'194 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat rat suricata

Link:

https://tria.ge/reports/210827-c8q79wmtxe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Blocklisted process makes network request

Async RAT payload

AsyncRat

suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Malware Config

C2 Extraction:

jilldoggyy.duckdns.org:7840
jilldoggyy.duckdns.org:7829
jilldoggyy.duckdns.org:7841
103.147.185.192:7840
103.147.185.192:7829
103.147.185.192:7841

Dropper Extraction:

http://transfer.sh/1rhbiXf/JFjffj.txt

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/75455f8fe0dd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/75455f8fe0ddf7a4cc93ea0072c3786bb4ec968930f182ccfcb4474c44d62484

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse Create hunting rule
Author:	ditekSHen
Description:	Detects file containing reversed ASEP Autorun registry keys

Rule name:	pe_imphash Create hunting rule

Rule name:	PowerShell_Case_Anomaly Create hunting rule
Author:	Florian Roth
Description:	Detects obfuscated PowerShell hacktools
Reference:	https://twitter.com/danielhbohannon/status/905096106924761088

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

Rule name:	win_asyncrat_w0 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/182960/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample