MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a236041466bb178baae9a3e7bba8f50e4dd89d3c0a12e9d8eb6fa8c088b63381. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a236041466bb178baae9a3e7bba8f50e4dd89d3c0a12e9d8eb6fa8c088b63381
SHA3-384 hash: 9adf606899fb97389fe478b6d9682f2f906c647130272a4701f4649ceb5a89923eaebcfbea67bff2dea3fc845a8adae8
SHA1 hash: 50273e4106f01c4a094a9022a65854d1f2d35f26
MD5 hash: 4c44c08f7fbb32d8077c4db9b9e13a42
humanhash: sierra-violet-butter-hydrogen
File name:185.7.214.54.ps1
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:714 bytes
First seen:2025-02-13 07:14:31 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:NtmpvYNZKdJQbnms1CzRRE4m3hRkyRaXBH2XXpAmOGMkeqEwSrM7BAUFVmMUUwMT:iZKK7QbnmsEEIYqBH2JVuqEwSWAUFVms
TLSH T1A301FE16E84F4462C832EBFBD2E0082255B9462F18898A2EBFC8351597683BC8D92094
Magika powershell
Reporter JAMESWT_WT
Tags:185-7-214-54 AsyncRAT booking ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ad9c1628ab76d43a5aaa41
Tags:
autorun trojan shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
persistence
Link:
https://www.filescan.io/uploads/67ad9c0b1195447a80c3c6fb/reports/6592bdaf-9142-4acf-856f-6469befa0e4f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a236041466bb178baae9a3e7bba8f50e4dd89d3c0a12e9d8eb6fa8c088b63381
Result
Verdict:
UNKNOWN
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614033
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Found malicious URL file
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: Powerup Write Hijack DLL
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614033 Sample: 185.7.214.54.ps1 Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 48 tse1.mm.bing.net 2->48 50 mm-mm.bing.net.trafficmanager.net 2->50 52 5 other IPs or domains 2->52 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 12 other signatures 2->64 10 powershell.exe 15 21 2->10         started        15 notepad.exe 5 2->15         started        signatures3 process4 dnsIp5 56 147.45.44.42, 49721, 49723, 80 FREE-NET-ASFREEnetEU Russian Federation 10->56 42 C:\Windows\Temp\cmd.bat, DOS 10->42 dropped 44 C:\Users\user\AppData\...\DeleteApp.url, MS 10->44 dropped 70 Compiles code for process injection (via .Net compiler) 10->70 17 cmd.exe 1 10->17         started        19 conhost.exe 10->19         started        file6 signatures7 process8 process9 21 powershell.exe 22 17->21         started        26 conhost.exe 17->26         started        dnsIp10 54 185.7.214.54, 4411, 49722, 49724 DELUNETDE France 21->54 38 C:\Users\user\AppData\...\fz5vz5tk.cmdline, Unicode 21->38 dropped 40 C:\Users\user\AppData\Local\...\fz5vz5tk.0.cs, Unicode 21->40 dropped 66 Writes to foreign memory regions 21->66 68 Injects a PE file into a foreign processes 21->68 28 MSBuild.exe 2 21->28         started        31 csc.exe 3 21->31         started        file11 signatures12 process13 file14 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->72 34 WerFault.exe 23 16 28->34         started        46 C:\Users\user\AppData\Local\...\fz5vz5tk.dll, PE32 31->46 dropped 36 cvtres.exe 1 31->36         started        signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a236041466bb178baae9a3e7bba8f50e4dd89d3c0a12e9d8eb6fa8c088b63381
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a236041466bb178baae9a3e7bba8f50e4dd89d3c0a12e9d8eb6fa8c088b63381/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-13 07:04:54 UTC
File Type:
Text
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ui3aifdgxmlyxkxjupt3xkhvbzg5rhj4bijotwhln6umbcfwgoaq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250213-h3aeravrfv/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a236041466bb178baae9a3e7bba8f50e4dd89d3c0a12e9d8eb6fa8c088b63381

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Methodology_Suspicious_Shortcut_Local_URL
Create hunting rule
Author:@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Description:Detects local script usage for .URL persistence
Reference:https://twitter.com/cglyer/status/1176184798248919044
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

PowerShell (PS) ps1 a236041466bb178baae9a3e7bba8f50e4dd89d3c0a12e9d8eb6fa8c088b63381

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3438240/
  
Delivery method
Distributed via web download

Comments