MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81e537dce98cc6dc16ee045eafc374a47a228831fa805a8290bed8115c870bb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81e537dce98cc6dc16ee045eafc374a47a228831fa805a8290bed8115c870bb4
SHA3-384 hash: ca986beafeea375a3230b05aec5541438538c1b5adfe3d56a3a394a065bf2a4609f29dc943a934b064621f83078649eb
SHA1 hash: 32ab670439729a5be767c114376ce7a375459a98
MD5 hash: ec8b820c80e852b2a2df374f8c68e790
humanhash: virginia-california-fifteen-march
File name:fv09004496660232500001628.zip.js
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'572 bytes
First seen:2025-04-29 09:24:30 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 48:ZIPwhanl84ggsGJJsBt9gFtqFtFtJQJmPNNFtO0UtusJ+nJ2ICnkBMCnikCn0XMK:ZGwhalXggsGJJsBt9gfqffJQJmPNNfOm
Threatray 140 similar samples on MalwareBazaar
TLSH T1CB514CB264138E271EED591502ADDB331FF36871709505AEE0D31ADE8C6EB1C55A317C
Magika javascript
Reporter JAMESWT_WT
Tags:arannsasaaransasaturituri2024-duckdns-org AsyncRAT js

Intelligence

File Origin
# of uploads :
1
# of downloads :
447
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Siggen5.52868.10067.4965.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68109f30c8b2e86d0ac43d6a
Tags:
asyncrat shell virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/68109afcc502e7176af99a2d/reports/99b311d7-a6fb-46a7-b878-0b92e57bc895/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/81e537dce98cc6dc16ee045eafc374a47a228831fa805a8290bed8115c870bb4
Result
Threat name:
AsyncRAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677159
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677159 Sample: fv09004496660232500001628.zip.js Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 28 arannsasaaransasaturituri2024.duckdns.org 2->28 30 paste.ee 2->30 32 2 other IPs or domains 2->32 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 50 19 other signatures 2->50 9 wscript.exe 1 1 2->9         started        signatures3 46 Uses dynamic DNS services 28->46 48 Connects to a pastebin service (likely for C&C) 30->48 process4 dnsIp5 34 paste.ee 23.186.113.60, 443, 49692, 49693 KLAYER-GLOBALNL Reserved 9->34 52 System process connects to network (likely due to code injection or exploit) 9->52 54 JScript performs obfuscated calls to suspicious functions 9->54 56 Suspicious powershell command line found 9->56 58 3 other signatures 9->58 13 powershell.exe 15 16 9->13         started        signatures6 process7 dnsIp8 36 archive.org 207.241.224.2, 443, 49696 INTERNET-ARCHIVEUS United States 13->36 38 ia801700.us.archive.org 207.241.233.30, 443, 49697 INTERNET-ARCHIVEUS United States 13->38 60 Found Tor onion address 13->60 62 Creates autostart registry keys with suspicious values (likely registry only malware) 13->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->64 66 2 other signatures 13->66 17 jsc.exe 2 13->17         started        20 cmd.exe 1 13->20         started        22 conhost.exe 13->22         started        signatures9 process10 dnsIp11 26 arannsasaaransasaturituri2024.duckdns.org 164.152.167.246, 3009, 49699 MONSANTO-INETUS United States 17->26 24 conhost.exe 20->24         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81e537dce98cc6dc16ee045eafc374a47a228831fa805a8290bed8115c870bb4/
Threat name:
Script-JS.Backdoor.Asyncrat
Create hunting rule
Status:
Malicious
First seen:
2025-04-23 23:26:59 UTC
File Type:
Binary
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qhstpxhjrtdnyfxoarpk7q3uur5cfcbr7kafvauqx3mbcxehbo2a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0cb83a22eb4440dd9f04329ecd54615827916b54d0765818c315c3c034183248
AsyncRAT
0e97373d9626a28e247fa42b6735441aa606cdc5b1ef1bf1afdc0966b73bed4f
AsyncRAT
19ba6881b1e82fa63c945ded965dc247f291d64eef58f6814e232f1422a0bb62
AsyncRAT
62c0672bd77beaab3e5546944e23f7db1f66a207d9eecbedcaaebb4bfc47b954
AsyncRAT
652f9425904c1411899bffd5d6396a611b4b74a901e0b3481a808da904c76ccb
AsyncRAT
6744b66a3d8307ce51ec575669dfb2d0f11e00a36bb1e8c930db3a74c0cb4b89
AsyncRAT
85a225ec318849b576b381f4153502bc0466f56ee1afd3ee1953a0f455fd3cf6
AsyncRAT
cae1625466a6a04016312d888281c5aa0a4a75ef23d338f1d68cc15e9774a331
AsyncRAT
error
AsyncRAT
+ 130 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250429-ldq8razpy3/
Behaviour
Script User-Agent
Command and Scripting Interpreter: JavaScript
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/81e537dce98cc6dc16ee045eafc374a47a228831fa805a8290bed8115c870bb4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Java Script (JS) js 81e537dce98cc6dc16ee045eafc374a47a228831fa805a8290bed8115c870bb4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3530010/
  
Delivery method
Distributed via web download

Comments