MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aed50a5da5a71dbee227b9de4c9ee68ec20e9814928b16fb231784c3d45ef4a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aed50a5da5a71dbee227b9de4c9ee68ec20e9814928b16fb231784c3d45ef4a2
SHA3-384 hash: d0ca11173efd32caa603f975cd6388ab6484095fbbfb065050ac76cc406023216ecef55520478fe5dd83bb95959240a2
SHA1 hash: fe8d8ebc03e50c39b3c38b6f9aad6e9ea6894528
MD5 hash: 02d3b46db023e74bf34b36d336e283d8
humanhash: mississippi-blue-purple-pip
File name:believe-server.txt.ps1
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:261'674 bytes
First seen:2022-10-14 07:21:59 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6144:wRQRmeIR/ENCsO4/TzhUtZylDwc00ddPqWBYWUaOU8Y85TNkS:SX4PhU1cFPqWt987SS
Threatray 2'792 similar samples on MalwareBazaar
TLSH T1F544E05E0CE67DACD388427F2601512647EC7D37D48BB0689283E0FB19B3E7669349AD
Reporter 0xToxin
Tags:185.222.58.50 AsyncRAT Bitbucket NEW pro2pro ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-178.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63490e25aab5b3e31a6b38bf/reports/f314709d-fe26-4cc6-b3b9-372e7d5af194/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT, PhoenixRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1090542
Signature
Bypasses PowerShell execution policy
Creates processes via WMI
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
PowerShell case anomaly found
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Bypass AMSI
Yara detected PhoenixRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 723152 Sample: believe-server.txt.ps1 Startdate: 14/10/2022 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Yara detected PhoenixRAT 2->73 75 5 other signatures 2->75 9 powershell.exe 7 2->9         started        11 powershell.exe 2->11         started        13 powershell.exe 25 2->13         started        17 wscript.exe 2->17         started        process3 file4 19 cmd.exe 2 9->19         started        22 conhost.exe 9->22         started        24 cmd.exe 11->24         started        26 conhost.exe 11->26         started        57 C:\ProgramData\...\RUCXFGHJUCVOFVUZVIPNCG.ps1, ASCII 13->57 dropped 59 C:\ProgramData\...\JZKPPKGTHBOIPSRKOCOKSH.ps1, ASCII 13->59 dropped 61 C:\ProgramData\...\JZKPPKGTHBOIPSRKOCOKSH.bat, DOS 13->61 dropped 81 Bypasses PowerShell execution policy 13->81 28 powershell.exe 34 13->28         started        30 conhost.exe 13->30         started        signatures5 process6 signatures7 77 Uses cmd line tools excessively to alter registry or file data 19->77 79 PowerShell case anomaly found 19->79 32 cmd.exe 1 19->32         started        35 reg.exe 1 1 19->35         started        37 reg.exe 1 1 19->37         started        39 cmd.exe 24->39         started        41 reg.exe 24->41         started        43 reg.exe 24->43         started        45 wscript.exe 28->45         started        process8 signatures9 65 PowerShell case anomaly found 32->65 47 powershell.exe 11 32->47         started        50 powershell.exe 39->50         started        67 Creates processes via WMI 45->67 process10 signatures11 83 Writes to foreign memory regions 47->83 85 Injects a PE file into a foreign processes 47->85 52 aspnet_compiler.exe 2 47->52         started        55 aspnet_compiler.exe 50->55         started        process12 dnsIp13 63 185.222.58.50, 4545, 49703 ROOTLAYERNETNL Netherlands 52->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aed50a5da5a71dbee227b9de4c9ee68ec20e9814928b16fb231784c3d45ef4a2/
Threat name:
Script-WScript.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-10-14 07:22:13 UTC
File Type:
Text (PowerShell)
AV detection:
4 of 42 (9.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3kquxnfu4o35yrhxhpezhxgr3ba5gauskfrn6zdc6cmhvc66sra._file
Verdict:
unknown
Similar samples:
02201f5f3630302f9914837b5b618ca0870ec75b459544ac42cb88a706b217a1
AsyncRAT
3fde627f59b1b425dbb14ddc26a088019524e089a19b0548f953ee63a573601b
AsyncRAT
4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425
AsyncRAT
529278edf5caa133d25e0a3ef7d138124529695f1d5a8a03aace868702ffcd64
AsyncRAT
84dbd6ec8da76543febdcadfd7021992b1b1f95ac11327517795b621a6b183d4
AsyncRAT
a36a3366706789363864b5c0b03b0c49ce72fea8d1c3150285d16a604edbc866
AsyncRAT
ab62ae9f4f7e797648fd4de6633357f704d4799f77844a0368a17ad21d2a2958
AsyncRAT
bb91ab5b5db4ac2b50ff6ee4309b304d9e41e00c1d162a0daa8071bed04dd2ba
AsyncRAT
e6f0283036672588e88f985e2b4bd4784bb3bab373ba07630d25b6779063f03c
AsyncRAT
f97868b93747008b2b67f509958fa5e7d3d380d384042ca655f9a6f77c610532
AsyncRAT
+ 2'782 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:new persistence rat
Link:
https://tria.ge/reports/221014-h683gsdcgl/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Registers COM server for autorun
Async RAT payload
AsyncRat
Process spawned unexpected child process
Malware Config
C2 Extraction:
185.222.58.50:4545
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aed50a5da5a71dbee227b9de4c9ee68ec20e9814928b16fb231784c3d45ef4a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments