MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7143049467585b7382d389a9f183901e893f8c10165968964607019e7b8a0d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7143049467585b7382d389a9f183901e893f8c10165968964607019e7b8a0d9
SHA3-384 hash: e36826e980d1ff2075bb3a3c5f5e34afa69dde3468787a90063e61e70c22f801a218c775651f422fea16bc8ddb97a149
SHA1 hash: e8b5052823ebf9d766ccb05c24dbc346744a26da
MD5 hash: a85d421e93c8ca32c2c5e5001fcccb0c
humanhash: snake-arizona-echo-football
File name:WMIEventLogs.js
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:6'480'116 bytes
First seen:2025-11-16 17:03:54 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 96:X11111111111111111111111111111111111111111111111111111111111111H:tXqsfSrZVHVk6vA
TLSH T1B56601B642988A8342E600189FFC4115F2ABA9F7F753C85BBF1E51837729AD0C760E75
Magika javascript
Reporter abuse_ch
Tags:AsyncRAT js

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691a041abdb0ec3a9dc267f3
Tags:
obfuscate xtreme spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 base64 fingerprint obfuscated obfuscated opendir overlay powershell repaired
Link:
https://www.filescan.io/uploads/691a041a824a1bd57407fa2e/reports/5f7a5c15-a1e8-45ec-a14f-6a4be76cda7a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a7143049467585b7382d389a9f183901e893f8c10165968964607019e7b8a0d9
Verdict:
Malicious
File Type:
js
First seen:
2025-11-15T05:39:00Z UTC
Last seen:
2025-11-17T10:20:00Z UTC
Hits:
~10
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/a7143049467585b7382d389a9f183901e893f8c10165968964607019e7b8a0d9/results?tab=lookup
Result
Threat name:
AsyncRAT, Dacic, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1814941
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
Found malware configuration
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Unusual module load detection (module proxying)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Dacic
Yara detected DcRat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1814941 Sample: WMIEventLogs.js Startdate: 16/11/2025 Architecture: WINDOWS Score: 100 20 hostphpwindowsdriversappssapo.duckdns.org 2->20 22 securityhealthservice.ydns.eu 2->22 24 ia601709.us.archive.org 2->24 30 Suricata IDS alerts for network traffic 2->30 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 38 13 other signatures 2->38 8 wscript.exe 1 2->8         started        signatures3 36 Uses dynamic DNS services 20->36 process4 signatures5 40 Suspicious powershell command line found 8->40 42 Wscript starts Powershell (via cmd or directly) 8->42 44 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->44 46 2 other signatures 8->46 11 powershell.exe 14 15 8->11         started        process6 dnsIp7 26 ia601709.us.archive.org 207.241.227.99, 443, 49720 INTERNET-ARCHIVEUS United States 11->26 28 hostphpwindowsdriversappssapo.duckdns.org 181.206.158.190, 1000, 49722, 49723 ColombiaMovilCO Colombia 11->28 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->48 50 Writes to foreign memory regions 11->50 52 Injects a PE file into a foreign processes 11->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->54 15 MSBuild.exe 1 2 11->15         started        18 conhost.exe 11->18         started        signatures8 process9 signatures10 56 Unusual module load detection (module proxying) 15->56
Score:
4%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/a7143049467585b7382d389a9f183901e893f8c10165968964607019e7b8a0d9
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/a85d421e93c8ca32c2c5e5001fcccb0c
Detection:
dcrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a7143049467585b7382d389a9f183901e893f8c10165968964607019e7b8a0d9/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/a7143049467585b7382d389a9f183901e893f8c10165968964607019e7b8a0d9
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-16 10:03:14 UTC
File Type:
Binary
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4kdaskgowc3oobnhcnj6gbzahujh6gbafsznclembybtz5yudmq._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:oct respaldo discovery execution rat
Link:
https://tria.ge/reports/251116-vledlagj8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
Process spawned unexpected child process
Malware Config
C2 Extraction:
securityhealthservice.ydns.eu:1000
Dropper Extraction:
https://ia601709.us.archive.org/28/items/optimized_msi_20251112_1649/optimized_MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/a7143049467585b7382d389a9f183901e893f8c10165968964607019e7b8a0d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Java Script (JS) js a7143049467585b7382d389a9f183901e893f8c10165968964607019e7b8a0d9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3597685/
  
Delivery method
Distributed via web download

Comments