MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76f69eda4404d2b34e8c169dc5caff15db494cba09bb837ecfeab11c430131db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76f69eda4404d2b34e8c169dc5caff15db494cba09bb837ecfeab11c430131db
SHA3-384 hash: e0ada3a8360a9dfd3613587b019cef31c9a90f40d8ec5195a9fa2e0862eb9b9ed7f41e15c1fda3263ae8e0c7d1373937
SHA1 hash: deebd422ab1d512cc175c3abbe89b6402db9ee88
MD5 hash: f31df7ed250c9ba0d937fdd1a094ba11
humanhash: uncle-paris-comet-cardinal
File name:hubur512.ps1
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:15'725 bytes
First seen:2025-04-22 09:40:12 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 384:VBzG9iNNwqTlla6D0BcB8Z5HyTj95tzatvCEG8hBK4KPNwiqtxc5sRozWWm:VBYiXho60BcBG5HIjbtzaNvG8sP2txc+
Threatray 1'454 similar samples on MalwareBazaar
TLSH T187626DF38B123026590FC605CA2DA36E9D961E9A1FE576FE95C83C13825773812D39CE
Magika powershell
Reporter JAMESWT_WT
Tags:AsyncRAT aula01-ddns-net aula012-accesscam-org bart2025-duckdns-org ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68076593280f5f89a0d338a7
Tags:
dropper shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive
Link:
https://www.filescan.io/uploads/6807640f931404048d811ff7/reports/7436188e-f2ce-479a-ba1d-142a3bdd039c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/76f69eda4404d2b34e8c169dc5caff15db494cba09bb837ecfeab11c430131db
Result
Threat name:
AsyncRAT, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1670950
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1670950 Sample: hubur512.ps1 Startdate: 22/04/2025 Architecture: WINDOWS Score: 100 60 bart2025.duckdns.org 2->60 62 aula01.ddns.net 2->62 64 2 other IPs or domains 2->64 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 90 17 other signatures 2->90 10 powershell.exe 18 32 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 88 Uses dynamic DNS services 62->88 process4 dnsIp5 66 docs2025.com.br 147.93.37.98, 443, 49683, 49684 ICN-ASUS Belgium 10->66 52 C:\Users\Public\1xx.txt, ASCII 10->52 dropped 54 C:\Users\Public\1tron.vbs, ASCII 10->54 dropped 56 C:\Users\Public\1tron.ps1, ASCII 10->56 dropped 58 C:\Users\Public\1tron.bat, ASCII 10->58 dropped 16 wscript.exe 1 10->16         started        19 wscript.exe 10->19         started        21 wscript.exe 10->21         started        23 conhost.exe 10->23         started        68 127.0.0.1 unknown unknown 14->68 file6 process7 signatures8 74 Wscript starts Powershell (via cmd or directly) 16->74 76 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->76 78 Suspicious execution chain found 16->78 25 cmd.exe 1 16->25         started        28 cmd.exe 19->28         started        30 cmd.exe 21->30         started        process9 signatures10 92 Suspicious powershell command line found 25->92 94 Wscript starts Powershell (via cmd or directly) 25->94 96 Bypasses PowerShell execution policy 25->96 32 powershell.exe 14 25->32         started        35 conhost.exe 25->35         started        37 powershell.exe 28->37         started        39 conhost.exe 28->39         started        41 powershell.exe 30->41         started        43 conhost.exe 30->43         started        process11 signatures12 80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->80 45 aspnet_regbrowsers.exe 32->45         started        47 aspnet_regbrowsers.exe 2 37->47         started        50 aspnet_regbrowsers.exe 3 41->50         started        process13 dnsIp14 70 aula01.ddns.net 45.165.2.241, 2020, 2021, 5536 TEONETTELECOMUNICACOESEIRELIBR Brazil 47->70 72 bart2025.duckdns.org 128.90.103.228, 2020, 7707 PHMGMT-AS1US United States 47->72
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/76f69eda4404d2b34e8c169dc5caff15db494cba09bb837ecfeab11c430131db
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76f69eda4404d2b34e8c169dc5caff15db494cba09bb837ecfeab11c430131db/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o33j5wseatjlgtumc2o4lsx7cxnustf2bg5yg7wp5kyryqybghnq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
35c73c6c8bed8697de74b1509caf030fae69fb856edefc47342adde573da928c
AsyncRAT
5732891fc200a9a59fdf3b2f96d5977152d1b76eb7220c8fcb28fc476945cddc
AsyncRAT
6bb2386101837fd4e8a32018f2d8ec5bbd646bef9a5513783f782fe2ae1ff3e0
AsyncRAT
adc29eb24db484b14101ce4ab0e8eeda1586009dd65f980e596c8fa45703678c
AsyncRAT
bdd678604bbefecbc2b54dfd55b1cd677e151bf1e5ee59ab2860363c27d73d16
AsyncRAT
c72c02aa10e6609c29969f89b655aa99c7416aa87b391cf877fb1d31982bab66
AsyncRAT
error
AsyncRAT
fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686
AsyncRAT
+ 1'444 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:quarto discovery execution rat
Link:
https://tria.ge/reports/250422-lnf6javrs2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:5536
127.0.0.1:5155
127.0.0.1:2020
127.0.0.1:2021
aula01.ddns.net:6606
aula01.ddns.net:7707
aula01.ddns.net:8808
aula01.ddns.net:5536
aula01.ddns.net:5155
aula01.ddns.net:2020
aula01.ddns.net:2021
bart2025.duckdns.org:6606
bart2025.duckdns.org:7707
bart2025.duckdns.org:8808
bart2025.duckdns.org:5536
bart2025.duckdns.org:5155
bart2025.duckdns.org:2020
bart2025.duckdns.org:2021
aula012.accesscam.org:6606
aula012.accesscam.org:7707
aula012.accesscam.org:8808
aula012.accesscam.org:5536
aula012.accesscam.org:5155
aula012.accesscam.org:2020
aula012.accesscam.org:2021
Dropper Extraction:
https://docs2025.com.br/1xx.pdf
https://docs2025.com.br/1type.pdf
https://docs2025.com.br/1tronvbs.pdf
https://docs2025.com.br/1Execute.pdf
https://docs2025.com.br/1Framework.pdf
https://docs2025.com.br/1invoke.pdf
https://docs2025.com.br/1load.pdf
https://docs2025.com.br/1method.pdf
https://docs2025.com.br/1msg.pdf
https://docs2025.com.br/1runpe.pdf
https://docs2025.com.br/1tronbat.pdf
https://docs2025.com.br/1tronps1.pdf
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/76f69eda4404d2b34e8c169dc5caff15db494cba09bb837ecfeab11c430131db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

PowerShell (PS) ps1 76f69eda4404d2b34e8c169dc5caff15db494cba09bb837ecfeab11c430131db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3521869/
  
Delivery method
Distributed via web download

Comments