MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8df56b7dd55d5e18c8a4aceb72729b062768d5dc57f56f1a3249ce5577825b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash: a8df56b7dd55d5e18c8a4aceb72729b062768d5dc57f56f1a3249ce5577825b7
SHA3-384 hash: 93f41a8750ac84785771bc4e7ba0498019e26954e6cc26857dd8f0d6de2d9ef3285ff1bc973fd7a965f7efbc5a30688b
SHA1 hash: 61040f62b9516f8ae4a57375dcf6a0858ce33f7b
MD5 hash: c7d4f9c0e93106ccdfd248755b716a17
humanhash: colorado-minnesota-tango-fifteen
File name:FACTURAPDF #1456346353.vbs
Download: download sample
Signature AsyncRAT
File size:2'781'046 bytes
First seen:2022-08-27 06:59:53 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:h2vY07Zas3SvAL002AOob20bvkB4H2vY07Zas3SvAL002AOob20bvkBE:ovYNsCvALNOQjBWvYNsCvALNOQj5
Threatray 2'729 similar samples on MalwareBazaar
TLSH T1B4D528E50D512049050395BF90AE19BBF91D87E23AA3DB65788CF8F10B16F587D8F4CA
Reporter abuse_ch
Tags:AsyncRAT vbs

Intelligence


File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Result
Threat name:
AsyncRAT, DcRat
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
DLL side loading technique detected
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 691341 Sample: FACTURAPDF #1456346353.vbs Startdate: 27/08/2022 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 9 other signatures 2->75 12 wscript.exe 15 2->12         started        process3 dnsIp4 59 paste.ee 188.114.96.3, 443, 49714, 49781 CLOUDFLARENETUS European Union 12->59 97 System process connects to network (likely due to code injection or exploit) 12->97 99 VBScript performs obfuscated calls to suspicious functions 12->99 101 Wscript starts Powershell (via cmd or directly) 12->101 103 Wscript called in batch mode (surpress errors) 12->103 16 wscript.exe 14 12->16         started        signatures5 process6 signatures7 65 Wscript starts Powershell (via cmd or directly) 16->65 67 Wscript called in batch mode (surpress errors) 16->67 19 wscript.exe 14 16->19         started        22 powershell.exe 23 16->22         started        process8 signatures9 77 VBScript performs obfuscated calls to suspicious functions 19->77 79 Wscript starts Powershell (via cmd or directly) 19->79 81 Drops VBS files to the startup folder 19->81 24 wscript.exe 24 19->24         started        28 conhost.exe 22->28         started        process10 file11 53 C:\Users\user\AppData\Local\...\dynwrapx.dll, PE32 24->53 dropped 55 C:\Users\user\...\FACTURAPDF #1456346353.vbs, ASCII 24->55 dropped 89 Wscript starts Powershell (via cmd or directly) 24->89 91 Windows Shell Script Host drops VBS files 24->91 93 Writes to foreign memory regions 24->93 95 3 other signatures 24->95 30 RegAsm.exe 24->30         started        34 powershell.exe 24->34         started        36 RegAsm.exe 24->36         started        38 2 other processes 24->38 signatures12 process13 dnsIp14 61 winhost.ddns.net 141.95.84.40, 2404, 49782, 49784 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 30->61 63 paste.ee 30->63 57 C:\Users\user\AppData\Local\Temp\SAVE.vbs, Little-endian 30->57 dropped 40 cmd.exe 30->40         started        43 conhost.exe 34->43         started        45 WerFault.exe 36->45         started        file15 process16 signatures17 83 Suspicious powershell command line found 40->83 85 Wscript starts Powershell (via cmd or directly) 40->85 87 Bypasses PowerShell execution policy 40->87 47 powershell.exe 40->47         started        49 conhost.exe 40->49         started        process18 process19 51 wscript.exe 47->51         started       
Threat name:
Text.Trojan.Generic
Status:
Suspicious
First seen:
2022-08-26 12:17:34 UTC
File Type:
Text (VBS)
AV detection:
3 of 26 (11.54%)
Threat level:
  5/5
Result
Malware family:
asyncrat
Score:
  10/10
Tags:
family:asyncrat rat
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Async RAT payload
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:SUSP_Websites
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Visual Basic Script (vbs) vbs a8df56b7dd55d5e18c8a4aceb72729b062768d5dc57f56f1a3249ce5577825b7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments