MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 947232f33c2aaf3df3952d23c6ce7d611c1cc0dac1f1e2b236ab96a84eb32277. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	947232f33c2aaf3df3952d23c6ce7d611c1cc0dac1f1e2b236ab96a84eb32277
SHA3-384 hash:	3e1834090d2aebd00087e4d53fd18da63de806d3160a1ea72e719c858294043535240d0fabc02900fc789afeb99d18b8
SHA1 hash:	01c511218bb4543fb0e901b8409e699cf7b3e515
MD5 hash:	c196b217bd2133261e89d08e7dee3a11
humanhash:	oklahoma-london-lion-asparagus
File name:	WMIEventLogs.js
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	55'202 bytes
First seen:	2025-08-23 09:26:47 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	192:WyBtTSWEY+DR8XClf7r40GKidvzFxaHny7Ytrdgc5Nhi/t:Pypmc5WV
TLSH	T18C43F8904BFB7C32942E2993A29BDD835120A731FE2D515A10AD3F7DA69C2C7513B6C3
Magika	javascript
Reporter	abuse_ch
Tags:	AsyncRAT js

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a989986eed937d746d317a

Tags:

obfuscate cryxos xtreme virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm obfuscated powershell

Link:

https://www.filescan.io/uploads/68a9898a4a87ed796768fc4c/reports/c5c9a65b-c74d-433b-8d40-3a77f125a581/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/947232f33c2aaf3df3952d23c6ce7d611c1cc0dac1f1e2b236ab96a84eb32277

Verdict:

Malicious

File Type:

First seen:

2025-08-23T00:17:00Z UTC

Last seen:

2025-08-23T00:17:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/947232f33c2aaf3df3952d23c6ce7d611c1cc0dac1f1e2b236ab96a84eb32277/results?tab=lookup

Result

Threat name:

AsyncRAT, Dacic, DcRat

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1763562

Signature

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Found malware configuration

Found Tor onion address

Injects a PE file into a foreign processes

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AsyncRAT

Yara detected Dacic

Yara detected DcRat

Yara detected Generic Downloader

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Score:

55%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/947232f33c2aaf3df3952d23c6ce7d611c1cc0dac1f1e2b236ab96a84eb32277

Gathering data

Detection:

dcrat

Link:

https://mwdb.cert.pl/sample/947232f33c2aaf3df3952d23c6ce7d611c1cc0dac1f1e2b236ab96a84eb32277/

Threat name:

Script-JS.Trojan.Cryxos

Status:

Malicious

First seen:

2025-08-23 06:47:26 UTC

File Type:

Binary

AV detection:

8 of 38 (21.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=srzdf4z4fkxt344vfur4ntt5meobzqg2yhy6fmrwvolkqtvtej3q._file

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:21 agt defense_evasion discovery execution rat

Link:

https://tria.ge/reports/250823-lfac1strs6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Modifies trusted root certificate store through registry

AsyncRat

Asyncrat family

Process spawned unexpected child process

Malware Config

C2 Extraction:

corepulsesync.ydns.eu:1000

Dropper Extraction:

https://archive.org/download/optimized_msi_20250821/optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/947232f33c2aaf3df3952d23c6ce7d611c1cc0dac1f1e2b236ab96a84eb32277

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

js 947232f33c2aaf3df3952d23c6ce7d611c1cc0dac1f1e2b236ab96a84eb32277

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3597685/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample