MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92dabfde91df07a3b2105e5972fbd2f5acf64b53465b60165a53e0795c1be8ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92dabfde91df07a3b2105e5972fbd2f5acf64b53465b60165a53e0795c1be8ba
SHA3-384 hash: ea78349b5421bc4936e76c15c8c42eb19b0c0983cf4ad565c65da7ec1a8f7e26e42174e82c6eb3ca30c709e888d38a15
SHA1 hash: 4cf7806f2c4f3c8c6bc8f60136184dfaf9403bfe
MD5 hash: 9c1485199b805f83240c24dca97fd748
humanhash: seventeen-asparagus-cold-maryland
File name:inv.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:50'686 bytes
First seen:2023-01-14 07:41:40 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 768:2pwdf+CuJAD1MWy+hY6xWayFw8yyJFCaan4qNiO1x7xAMmqBd1PlBvTAJfoP1zPW:2EjEwH7WFMHrf96jTXOrUyflfJ7MAo/
Threatray 2'816 similar samples on MalwareBazaar
TLSH T12333E19992C68A93136C126810CAC78A56D3AAE77D32B2CE27313D97F015F9743B374D
Reporter jomphatt
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
TH TH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
inv.bat
Verdict:
Malicious activity
Analysis date:
2023-01-13 20:36:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40565023-e954-4c7c-900d-c2feeb67849f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352846/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63c25ccede614a115a162b74/reports/62a663fd-3295-43f5-a59a-2d65e29eb3fb/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
ArrowRAT, EICAR
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1151583
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Renames powershell.exe to bypass HIPS
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected ArrowRAT
Yara detected EICAR
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 784315 Sample: inv.bat Startdate: 14/01/2023 Architecture: WINDOWS Score: 100 58 Pandorace.ddnsgeek.com 2->58 66 Snort IDS alert for network traffic 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 4 other signatures 2->72 13 cmd.exe 2 2->13         started        17 explorer.exe 5 4 2->17         started        signatures3 process4 file5 56 C:\Users\user\Desktop\inv.bat.exe, PE32+ 13->56 dropped 84 Suspicious powershell command line found 13->84 86 Bypasses PowerShell execution policy 13->86 88 Renames powershell.exe to bypass HIPS 13->88 19 inv.bat.exe 1 18 13->19         started        23 conhost.exe 13->23         started        signatures6 process7 dnsIp8 60 mulla2022.hopto.org 185.176.220.29, 49698, 49700, 8808 LV-2CLOUD-ASN16LV Latvia 19->60 62 windowsupdatebg.s.llnwi.net 19->62 54 C:\Users\user\AppData\Local\Temp\zvmijs.bat, DOS 19->54 dropped 25 cmd.exe 1 19->25         started        file9 process10 signatures11 80 Suspicious powershell command line found 25->80 28 powershell.exe 10 25->28         started        30 conhost.exe 25->30         started        process12 process13 32 cmd.exe 2 28->32         started        file14 52 C:\Users\user\AppData\...\zvmijs.bat.exe, PE32+ 32->52 dropped 64 Renames powershell.exe to bypass HIPS 32->64 36 zvmijs.bat.exe 15 32->36         started        39 conhost.exe 32->39         started        signatures15 process16 signatures17 74 Writes to foreign memory regions 36->74 76 Injects a PE file into a foreign processes 36->76 78 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 36->78 41 cvtres.exe 4 36->41         started        44 cmd.exe 1 36->44         started        46 explorer.exe 36->46         started        process18 signatures19 82 Tries to harvest and steal browser information (history, passwords, etc) 41->82 48 conhost.exe 44->48         started        50 choice.exe 1 44->50         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92dabfde91df07a3b2105e5972fbd2f5acf64b53465b60165a53e0795c1be8ba/
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-14 04:44:02 UTC
File Type:
Text (Batch)
AV detection:
3 of 38 (7.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=slnl7xur34d2hmqqlzmxf66s6wwpms2tiznwafs2kpqhsxa35c5a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
37563d85d00f66f27dfbdea1978227cccb739702aca826a9bdf671fd26d6b6a4
AsyncRAT
452025fa804107ed4d121a58ac4cf7d6c8e5e91c936c5245d0a215b948fc5f6d
AsyncRAT
5084b2032e7376b0857d446a786c83b50d3fe6913a5dbfbe6bb4ad65751dbfac
AsyncRAT
80c1568ef979e0d9881fa33ee69c3f8c15caa924acd4df9e4c951a7047577caa
AsyncRAT
8ee8a12754f344d0a1249f2de4d11044ebba8ba354df769d8d5019a639bb69c6
AsyncRAT
a44e7420e441548adddf0d79cc51e46211ebfa7dde08e5c95211eb3f95d0e570
AsyncRAT
b26760b051260ea435c5c32f8e65cd200034495db040e58da7b453b3d57132a5
AsyncRAT
d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e
AsyncRAT
fa6422c2f12f6bd2e3e59e7e6492e7573124d131a811bd0a5368b6f1365f3916
AsyncRAT
+ 2'806 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/230114-jjpk1agd3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
AsyncRat
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/92dabfde91df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92dabfde91df07a3b2105e5972fbd2f5acf64b53465b60165a53e0795c1be8ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Batch (bat) bat 92dabfde91df07a3b2105e5972fbd2f5acf64b53465b60165a53e0795c1be8ba

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/352846/

Comments