MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bd2ae95df444e91d6f69cd4b8555928e8f456afd7cab4cbdf04949835296ff3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bd2ae95df444e91d6f69cd4b8555928e8f456afd7cab4cbdf04949835296ff3
SHA3-384 hash: 1aa49606d890ed47983c4e30e559e7cacf54a82f1481309d40501ac883e93b81e99c9f30506fea0653d3fa55db627413
SHA1 hash: 3a1db8744b6d353f1734210a882e8e1507af7f9a
MD5 hash: da4ba60840bac1301db34636b0d06dfc
humanhash: chicken-white-may-grey
File name:Uni.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:9'800'808 bytes
First seen:2023-01-27 10:40:32 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:LzWaEmBuAxukvlQNdYHAE9z+CLMT3y0eN2Qnj1RXtPHdDpsxAgc/KWn/+nhseYKL:w
Threatray 4'136 similar samples on MalwareBazaar
TLSH T14DA63320AF595DBF09AC8228B0BF7E0C1FE41FC1D449E1DB96E5B5DB258FB01512B81A
Reporter r3dbU7z
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Uni.bat
Verdict:
Malicious activity
Analysis date:
2023-01-27 10:41:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/01863e58-915c-4aec-a1f5-daa4850d5d93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357361/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
stealer
Link:
https://www.filescan.io/uploads/63d3aa40696b2d9725749fbb/reports/0ff720d0-c926-41ed-98a3-dc8e186f949b/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160152
Signature
Bypasses PowerShell execution policy
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Powershell drops PE file
Renames powershell.exe to bypass HIPS
Self deletion via cmd or bat file
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 792889 Sample: Uni.bat Startdate: 27/01/2023 Architecture: WINDOWS Score: 100 72 letsdo19877.strangled.net 2->72 84 Suspicious powershell command line found 2->84 86 Very long command line found 2->86 88 Yara detected Costura Assembly Loader 2->88 11 cmd.exe 2 2->11         started        15 $sxr-powershell.exe 14 2->15         started        signatures3 process4 file5 70 C:\Users\user\Desktop\Uni.bat.exe, PE32+ 11->70 dropped 114 Uses ping.exe to sleep 11->114 116 Uses ping.exe to check the status of other devices and networks 11->116 118 Renames powershell.exe to bypass HIPS 11->118 17 Uni.bat.exe 1 19 11->17         started        21 conhost.exe 11->21         started        23 conhost.exe 15->23         started        signatures6 process7 file8 62 C:\Windows\$sxr-powershell.exe, PE32+ 17->62 dropped 76 Suspicious powershell command line found 17->76 78 Very long command line found 17->78 80 Self deletion via cmd or bat file 17->80 82 6 other signatures 17->82 25 $sxr-powershell.exe 12 17->25         started        29 dllhost.exe 17->29         started        31 dllhost.exe 17->31         started        33 2 other processes 17->33 signatures9 process10 file11 64 C:\Windows\System32\vcruntime140d.dll, PE32+ 25->64 dropped 66 C:\Windows\System32\vcruntime140_1d.dll, PE32+ 25->66 dropped 68 C:\Windows\System32\ucrtbased.dll, PE32+ 25->68 dropped 94 Suspicious powershell command line found 25->94 96 Very long command line found 25->96 98 Drops executables to the windows directory (C:\Windows) and starts them 25->98 112 2 other signatures 25->112 51 7 other processes 25->51 100 Writes to foreign memory regions 29->100 102 Creates a thread in another existing process (thread injection) 29->102 104 Injects a PE file into a foreign processes 29->104 35 lsass.exe 29->35 injected 38 winlogon.exe 29->38 injected 40 svchost.exe 29->40 injected 53 11 other processes 29->53 106 Found stalling execution ending in API Sleep call 31->106 108 Contains functionality to inject code into remote processes 31->108 110 Uses ping.exe to sleep 33->110 42 PING.EXE 33->42         started        45 conhost.exe 33->45         started        47 taskkill.exe 33->47         started        49 attrib.exe 33->49         started        signatures12 process13 dnsIp14 90 Writes to foreign memory regions 35->90 55 MpCmdRun.exe 35->55         started        57 dllhost.exe 38->57         started        74 192.168.2.1 unknown unknown 42->74 signatures15 process16 signatures17 60 conhost.exe 55->60         started        92 Creates a thread in another existing process (thread injection) 57->92 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bd2ae95df444e91d6f69cd4b8555928e8f456afd7cab4cbdf04949835296ff3/
Threat name:
Script-BAT.Downloader.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-01-27 10:41:11 UTC
File Type:
Text
AV detection:
6 of 26 (23.08%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rpjk5fo7irhjdvxwttklqvkzfdupivvp27fljs67askjqnjjn7zq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0c46021aa8d5a1164ee93248ea12f42e05612006943fb9bf32d2d4fbd4a9dcbc
AsyncRAT
211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61
AsyncRAT
266aa1bf199f3bd82bc8e708c177aeef4808e31c439f87d69b68efb8e07da996
AsyncRAT
50c2bec0fbc955824b6b2648d30fc42a5fc64994411fdb6026f560d0aa8e178e
AsyncRAT
65938e02d2a41a676e7883789f03b13aa9b311ec7c30450448f143a24058e1f9
AsyncRAT
6ab6da6a16571db04901c0dcd2bf72d189159eb8a8c98e15caf28aadff57e492
AsyncRAT
cde83c58766ae18bd516cfa78098c411fd1d0ebff083896f35fc33b10afa0e50
AsyncRAT
dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371
AsyncRAT
ef1cb9555d780addb510d052b41f070dbdeb931c3f916bf345a419a4d437a167
AsyncRAT
+ 4'126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230127-mq4kaaac32/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bd2ae95df444e91d6f69cd4b8555928e8f456afd7cab4cbdf04949835296ff3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Batch (bat) bat 8bd2ae95df444e91d6f69cd4b8555928e8f456afd7cab4cbdf04949835296ff3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/357361/

Comments