MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 760de76033fc771ea58714885fc528d0b14ed5ef45f2080971687cc182883846. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 760de76033fc771ea58714885fc528d0b14ed5ef45f2080971687cc182883846
SHA3-384 hash: db2bdeacc7ee675c9cf0ed88cd71076283d8491916e124c6c38f5ca3c4a7d1b33b21d131244596bd205b1a6839c6660c
SHA1 hash: 6a5ad0877388433989037bf2a6069b786261812e
MD5 hash: 115331957dcd78837e016750e63e1587
humanhash: harry-tennis-kitten-spaghetti
File name:bleh.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:50'584 bytes
First seen:2023-01-24 14:07:35 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:CzU6zHBhbzNsGUu6QTl3r19xS4e2RYpoEQA/9uC:mrzhh6G519x5RgVQAluC
Threatray 2'919 similar samples on MalwareBazaar
TLSH T1DD33F1542BCC84B823F8AFD0C59A6579EAA00DC10EF742ED73B2F94D227D9220E97551
Reporter James_inthe_box
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bleh.bat
Verdict:
Malicious activity
Analysis date:
2023-01-24 14:09:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c55d1cec-10f3-40f5-bc40-c9be974548f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356396/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63cfe64396add6d1cf485883/reports/e4d24b70-7e40-4b85-93f2-ec2ac03160e1/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157927
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Malicious sample detected (through community Yara rule)
Renames powershell.exe to bypass HIPS
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790664 Sample: bleh.bat Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 5 other signatures 2->57 10 cmd.exe 2 2->10         started        process3 file4 37 C:\Users\user\Desktop\bleh.bat.exe, PE32+ 10->37 dropped 61 Suspicious powershell command line found 10->61 63 Bypasses PowerShell execution policy 10->63 65 Renames powershell.exe to bypass HIPS 10->65 14 bleh.bat.exe 2 17 10->14         started        19 conhost.exe 10->19         started        signatures5 process6 dnsIp7 43 95.216.102.32, 49698, 49702, 49703 HETZNER-ASDE Germany 14->43 45 8.8.8.8 GOOGLEUS United States 14->45 41 C:\Users\user\AppData\Local\Temp\dawddp.bat, DOS 14->41 dropped 47 Tries to harvest and steal browser information (history, passwords, etc) 14->47 21 cmd.exe 1 14->21         started        file8 signatures9 process10 signatures11 59 Suspicious powershell command line found 21->59 24 powershell.exe 10 21->24         started        26 conhost.exe 21->26         started        process12 process13 28 cmd.exe 2 24->28         started        file14 39 C:\Users\user\AppData\...\dawddp.bat.exe, PE32+ 28->39 dropped 67 Renames powershell.exe to bypass HIPS 28->67 32 dawddp.bat.exe 13 28->32         started        35 conhost.exe 28->35         started        signatures15 process16 signatures17 49 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 32->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/760de76033fc771ea58714885fc528d0b14ed5ef45f2080971687cc182883846/
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-24 14:07:35 UTC
File Type:
Text (Batch)
AV detection:
1 of 39 (2.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oyg6oybt7r3r5jmhcsef7rji2cyu5vppixzaqclrnb6mdauihbda._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
764250ddf94b90441193fe1c29754f231e0868d1878fdf3150e5744dd8d8c378
AsyncRAT
7f9558b222b78098c76f84c190fb28848c2f8e2e89cabfd7eb3ba83a6160c96d
AsyncRAT
80c1568ef979e0d9881fa33ee69c3f8c15caa924acd4df9e4c951a7047577caa
AsyncRAT
8df28341644c2139c9d9dfb6231169c70fdb5a18daf628bac6307503f4d0b80f
AsyncRAT
bd45e50b3ec1e76b4cc8c018131921f5237a356b1dcbc9ec69fdf9788edbea58
AsyncRAT
d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e
AsyncRAT
+ 2'909 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat spyware stealer
Link:
https://tria.ge/reports/230124-rfjvcadf3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AsyncRat
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/760de76033fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/760de76033fc771ea58714885fc528d0b14ed5ef45f2080971687cc182883846

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/356396/

Comments