MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b1b95a4e2b7ce6d451ed38ee70b0e085063d461e35d6cc156da845d026e9ff6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b1b95a4e2b7ce6d451ed38ee70b0e085063d461e35d6cc156da845d026e9ff6
SHA3-384 hash: 1ab8faaca21e13c5f3303056468c31d8538d76ba2890d75e02d8871fee0cb3fe07a59ea1a04a03478fe900ace67b4dd6
SHA1 hash: 9a96a3a349ce77ef3e4755c8211e227f690825b2
MD5 hash: b84d0d103a041346f8b537075535ab76
humanhash: oregon-vermont-muppet-friend
File name:bin homebots io
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:4'843'320 bytes
First seen:2024-09-08 06:32:32 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:9GUJYQMgA4fVDKFsLHk2tZIivxRBjx60Gou5SGnvxfdXwouiSHQJHhKv4:O
TLSH T12926024939497A992835EF7C3E1F500E26E887B1815513E0D7C3A79B8F2C909F8B52BD
Magika txt
Reporter JAMESWT_WT
Tags:AsyncRAT bat bin-homebots-io

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bin homebots io
Verdict:
No threats detected
Analysis date:
2024-09-08 06:41:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e8fa24de-d48b-4dc5-aca4-0a4cf40ad746

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66dd4b423236667691a1fe72
Tags:
Execution Network Stealth
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd lolbin wmic
Link:
https://www.filescan.io/uploads/66dd4521f060cf43bf7f25ba/reports/1fcbe96b-2183-4022-aa05-43058422fbb7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7b1b95a4e2b7ce6d451ed38ee70b0e085063d461e35d6cc156da845d026e9ff6
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1507178
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found large BAT file
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1507178 Sample: bin homebots io.bat Startdate: 08/09/2024 Architecture: WINDOWS Score: 100 82 ipwho.is 2->82 88 Suricata IDS alerts for network traffic 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 .NET source code references suspicious native API functions 2->92 94 13 other signatures 2->94 10 wscript.exe 1 2->10         started        13 powershell.exe 2->13         started        15 cmd.exe 1 2->15         started        17 wscript.exe 2->17         started        signatures3 process4 signatures5 130 Wscript starts Powershell (via cmd or directly) 10->130 132 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->132 134 Suspicious execution chain found 10->134 19 cmd.exe 1 10->19         started        136 Writes to foreign memory regions 13->136 138 Modifies the context of a thread in another process (thread injection) 13->138 140 Injects a PE file into a foreign processes 13->140 22 dllhost.exe 13->22         started        24 conhost.exe 13->24         started        142 Suspicious powershell command line found 15->142 144 Suspicious command line found 15->144 26 powershell.exe 33 15->26         started        29 WMIC.exe 1 15->29         started        31 WMIC.exe 1 15->31         started        35 4 other processes 15->35 33 cmd.exe 17->33         started        process6 file7 96 Suspicious powershell command line found 19->96 98 Wscript starts Powershell (via cmd or directly) 19->98 100 Suspicious command line found 19->100 37 powershell.exe 19->37         started        41 WMIC.exe 1 19->41         started        51 5 other processes 19->51 102 Injects code into the Windows Explorer (explorer.exe) 22->102 104 Contains functionality to inject code into remote processes 22->104 106 Writes to foreign memory regions 22->106 116 3 other signatures 22->116 43 lsass.exe 22->43 injected 53 12 other processes 22->53 78 C:\Windows\$nya-onimai3\$nya-Loli.vbs, ASCII 26->78 dropped 80 C:\Windows\$nya-onimai3\$nya-Loli.bat, DOS 26->80 dropped 108 Uses schtasks.exe or at.exe to add and modify task schedules 26->108 110 Modifies the context of a thread in another process (thread injection) 26->110 112 Found suspicious powershell code related to unpacking or dynamic code loading 26->112 45 powershell.exe 36 26->45         started        47 schtasks.exe 1 26->47         started        114 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->114 49 powershell.exe 33->49         started        55 6 other processes 33->55 signatures8 process9 dnsIp10 84 79.110.49.144, 4040, 64188 OTAVANET-ASCZ Germany 37->84 86 ipwho.is 195.201.57.90, 443, 64190 HETZNER-ASDE Germany 37->86 118 Writes to foreign memory regions 37->118 120 Modifies the context of a thread in another process (thread injection) 37->120 122 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->122 126 2 other signatures 37->126 57 powershell.exe 37->57         started        60 schtasks.exe 37->60         started        124 Loading BitLocker PowerShell Module 45->124 62 conhost.exe 45->62         started        64 conhost.exe 47->64         started        66 schtasks.exe 49->66         started        signatures11 process12 signatures13 128 Injects a PE file into a foreign processes 57->128 68 conhost.exe 57->68         started        70 powershell.exe 57->70         started        72 powershell.exe 57->72         started        74 conhost.exe 60->74         started        76 conhost.exe 66->76         started        process14
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7b1b95a4e2b7ce6d451ed38ee70b0e085063d461e35d6cc156da845d026e9ff6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b1b95a4e2b7ce6d451ed38ee70b0e085063d461e35d6cc156da845d026e9ff6/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmnzljhcw7hg2ri62ohoocyobbighvdb4nowzqkw3kcf2atot73a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/240908-hr3l6asenn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b1b95a4e2b7ce6d451ed38ee70b0e085063d461e35d6cc156da845d026e9ff6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments