MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 873e3cdc28e17be1027c5b88f5899d2859b40bdbde0c929d32bb26468931c6e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 873e3cdc28e17be1027c5b88f5899d2859b40bdbde0c929d32bb26468931c6e3
SHA3-384 hash: 67143b095323731c840d66450c7acf36dad1ea9373be2bf6f7a17ecdbd3811d2855850265a32665076d7c93fc171db91
SHA1 hash: 17dfbe73fa91d9bb0f22886c165df9ec85edd424
MD5 hash: 6490df82009c9b9b04a47bb1cf89a0c4
humanhash: artist-indigo-timing-lactose
File name:TK29.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:540 bytes
First seen:2021-04-02 09:38:45 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:TTTTTTTTTTTzqaIDGuqRRMEaefgXZg/LTTTTTTTTj:TTTTTTTTTTTzqaufwRapWTTTTTTTTj
Threatray 927 similar samples on MalwareBazaar
TLSH 94F039524F5A673017C6AF400C9F10CBAFF15E7E03745BAD046368BB82144133931332
Reporter abuse_ch
Tags:AsyncRAT RAT vbs


Avatar
abuse_ch
AsyncRAT C2:
207.32.219.41:1996

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
207.32.219.41:1996 https://threatfox.abuse.ch/ioc/6486/

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/131663/
Detection(s):
SecuriteInfo.com.CL.Downloadergen111.14729.26077.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Using the Windows Management Instrumentation requests
Modifying a system file
Replacing files
Launching a service
Creating a process from a recently created file
Downloading the file
Creating a file in the %temp% directory
Blocking the Windows Defender launch
Result
Verdict:
SUSPICIOUS
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/663575
Signature
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Modifies Group Policy settings
Powershell creates an autostart link
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 380718 Sample: TK29.vbs Startdate: 02/04/2021 Architecture: WINDOWS Score: 100 91 bad2.ddns.net 2->91 109 Yara detected Powershell download and execute 2->109 111 Yara detected AsyncRAT 2->111 113 Uses dynamic DNS services 2->113 115 2 other signatures 2->115 15 wscript.exe 1 2->15         started        18 gpscript.exe 2->18         started        signatures3 process4 signatures5 135 VBScript performs obfuscated calls to suspicious functions 15->135 137 Wscript starts Powershell (via cmd or directly) 15->137 139 Encrypted powershell cmdline option found 15->139 20 powershell.exe 9 15->20         started        process6 signatures7 117 Drops PE files to the user root directory 20->117 119 Powershell creates an autostart link 20->119 121 Powershell drops PE file 20->121 23 mshta.exe 23 20->23         started        27 conhost.exe 20->27         started        process8 dnsIp9 93 archive.org 207.241.224.2, 443, 49692, 49694 INTERNET-ARCHIVEUS United States 23->93 95 ia801407.us.archive.org 207.241.228.147, 443, 49693 INTERNET-ARCHIVEUS United States 23->95 71 C:\Users\user\AppData\Local\...\ch3[1].txt, HTML 23->71 dropped 29 powershell.exe 14 26 23->29         started        file10 process11 dnsIp12 97 ia801400.us.archive.org 207.241.228.140, 443, 49699 INTERNET-ARCHIVEUS United States 29->97 99 ia801402.us.archive.org 207.241.228.142, 443, 49718 INTERNET-ARCHIVEUS United States 29->99 101 4 other IPs or domains 29->101 73 PowerShell_transcr....20210402114213.txt, UTF-8 29->73 dropped 75 C:\Users\Public\Run\Microsoft.lnk, MS 29->75 dropped 77 C:\Users\Public\Microsoft.ps1, ASCII 29->77 dropped 79 C:\Users\Public\Chrome.vbs, ASCII 29->79 dropped 141 Creates an undocumented autostart registry key 29->141 34 powershell.exe 8 29->34         started        36 cmd.exe 29->36         started        38 conhost.exe 29->38         started        file13 signatures14 process15 process16 40 wscript.exe 1 34->40         started        43 mshta.exe 36->43         started        45 conhost.exe 36->45         started        signatures17 131 Wscript starts Powershell (via cmd or directly) 40->131 133 Encrypted powershell cmdline option found 40->133 47 powershell.exe 8 40->47         started        49 powershell.exe 43->49         started        process18 signatures19 52 cmd.exe 47->52         started        55 conhost.exe 47->55         started        107 Injects a PE file into a foreign processes 49->107 57 conhost.exe 49->57         started        process20 signatures21 123 Suspicious powershell command line found 52->123 125 Wscript starts Powershell (via cmd or directly) 52->125 127 Tries to download and execute files (via powershell) 52->127 129 Bypasses PowerShell execution policy 52->129 59 powershell.exe 52->59         started        61 powershell.exe 52->61         started        65 powershell.exe 52->65         started        67 3 other processes 52->67 process22 dnsIp23 69 cmd.exe 59->69         started        103 gamecardsy.com 148.251.248.121, 49703, 49708, 49714 HETZNER-ASDE Germany 61->103 81 C:\Users\Public\DefenderControl.exe, PE32 61->81 dropped 83 C:\Users\Public\DefenderKill.lnk, MS 65->83 dropped 105 192.168.2.1 unknown unknown 67->105 85 C:\Users\Public\ff.ps1, ASCII 67->85 dropped 87 C:\Users\Public\DefenderControl.ini, Little-endian 67->87 dropped 89 C:\Users\Public\Defender.bat, ASCII 67->89 dropped file24 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/873e3cdc28e17be1027c5b88f5899d2859b40bdbde0c929d32bb26468931c6e3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-02 09:39:06 UTC
AV detection:
1 of 44 (2.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q47dzxbi4f56cat4loeplcm5fbm3ic633ygjfhjsxmtencjry3rq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
2c8c5c5e5990da4a2af218cfece6afda3f4830be6605b9767adbfbde2e5cd276
AsyncRAT
37b842cb5ad7a0ce19bd735e14bfd35f2d0708d396dbdf56b32c79448bbbef3a
AsyncRAT
580b46d3c66531c7398e60857e6d5177d500d75cc802ded85965e0c2a09e255c
AsyncRAT
73ffaa868244eb4bcee7027ce57d30e604dda4dcda00fcfcbfb43103909ea52b
AsyncRAT
7fa47492c2377042d9b56f5d81c5e342aced8f51ca4237c9cd228d9b13b3bca5
AsyncRAT
867eb496d9f6122024560c00e0a2fde238fed90558dd0b4b838047c8eed8196c
AsyncRAT
86b22d8497ac1df55b76bddca6c021ec4b9995b00caea5effeeffe4e9f592e44
AsyncRAT
8dd3b9fb0158903433d23f879d07820b8110a4b6417f3deda72342c2f698384e
AsyncRAT
b5c98bb2d9391ffb93eea1ff796c1c924493c8e58160278c4ffe7ed3ba234ed2
AsyncRAT
bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a
AsyncRAT
+ 917 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat evasion rat trojan
Link:
https://tria.ge/reports/210402-ala1lz85ds/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Windows security modification
Blocklisted process makes network request
Executes dropped EXE
Async RAT payload
AsyncRat
Modifies security service
Malware Config
C2 Extraction:
bad2.ddns.net:1996
Dropper Extraction:
http://gamecardsy.com/ahmadtestupl/DefenderControl.exe
http://gamecardsy.com/ahmadtestupl/DefenderKill.txt
http://gamecardsy.com/ahmadtestupl/Defender.bat
http://gamecardsy.com/ahmadtestupl/DefenderControl.txt
http://gamecardsy.com/ahmadtestupl/ff.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/873e3cdc28e17be1027c5b88f5899d2859b40bdbde0c929d32bb26468931c6e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/131663/

Comments