MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af6794ebbb7d1dd19893bb919c5881cb6d8c026afaf5931cae3c294e6baee7ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af6794ebbb7d1dd19893bb919c5881cb6d8c026afaf5931cae3c294e6baee7ea
SHA3-384 hash: 58a901d24c42e30b6ef4c83feca0fb72d9fd4fef86da52df766dde861a82e4c2404551b383040d29d0ac156344eab748
SHA1 hash: 134953571f892580ec793340f0997812bc928a71
MD5 hash: f49c085a0873fe1a44e09ba9bd10c122
humanhash: rugby-pip-arkansas-eleven
File name:usman-server.txt.ps1
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:261'363 bytes
First seen:2022-10-14 07:21:40 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6144:aRQRmeIR/ENCsOSRR3gq37ZN85OcyixP3Nf5HHLkJswKVFNvXu:wXYv4wcfxp1HwSFBu
Threatray 2'799 similar samples on MalwareBazaar
TLSH T11844F15E1DE67DACD388427E2601502687EC7D37D48BB0688283F0FB19B3E7659349AD
Reporter 0xToxin
Tags:212.192.219.56 AsyncRAT Bitbucket Default pro2pro ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-178.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63490e2233e66132ed030c02/reports/d7a831a5-c639-4231-b017-2480687f655e/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT, PhoenixRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1090545
Signature
Bypasses PowerShell execution policy
Creates processes via WMI
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
PowerShell case anomaly found
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Bypass AMSI
Yara detected PhoenixRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 723155 Sample: usman-server.txt.ps1 Startdate: 14/10/2022 Architecture: WINDOWS Score: 100 71 Snort IDS alert for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Yara detected PhoenixRAT 2->75 77 5 other signatures 2->77 9 powershell.exe 7 2->9         started        11 powershell.exe 2->11         started        13 powershell.exe 27 2->13         started        17 wscript.exe 2->17         started        process3 file4 19 cmd.exe 2 9->19         started        22 conhost.exe 9->22         started        24 cmd.exe 11->24         started        26 conhost.exe 11->26         started        59 C:\ProgramData\...\XSJYEGLBUOZEHBTNLNLSOU.ps1, ASCII 13->59 dropped 61 C:\ProgramData\...behaviorgraphTZYVDQNGLKWWAYUCNKYHE.ps1, ASCII 13->61 dropped 63 C:\ProgramData\...behaviorgraphTZYVDQNGLKWWAYUCNKYHE.bat, DOS 13->63 dropped 83 Bypasses PowerShell execution policy 13->83 28 powershell.exe 37 13->28         started        30 conhost.exe 13->30         started        signatures5 process6 signatures7 79 Uses cmd line tools excessively to alter registry or file data 19->79 81 PowerShell case anomaly found 19->81 32 cmd.exe 1 19->32         started        35 reg.exe 1 1 19->35         started        37 reg.exe 1 1 19->37         started        39 cmd.exe 24->39         started        41 reg.exe 24->41         started        43 reg.exe 24->43         started        45 wscript.exe 28->45         started        process8 signatures9 67 PowerShell case anomaly found 32->67 47 powershell.exe 13 32->47         started        50 conhost.exe 35->50         started        52 powershell.exe 39->52         started        69 Creates processes via WMI 45->69 process10 signatures11 85 Writes to foreign memory regions 47->85 87 Injects a PE file into a foreign processes 47->87 54 aspnet_compiler.exe 2 47->54         started        57 aspnet_compiler.exe 52->57         started        process12 dnsIp13 65 212.192.219.56, 49725, 5612 KUBANNETRU Russian Federation 54->65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af6794ebbb7d1dd19893bb919c5881cb6d8c026afaf5931cae3c294e6baee7ea/
Threat name:
Script-WScript.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-10-14 07:22:12 UTC
File Type:
Text (PowerShell)
AV detection:
4 of 41 (9.76%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5tzj253puo5dgetxoizywebznwyyatk7l2zghfohquu425o47va._file
Verdict:
unknown
Similar samples:
02201f5f3630302f9914837b5b618ca0870ec75b459544ac42cb88a706b217a1
AsyncRAT
3fde627f59b1b425dbb14ddc26a088019524e089a19b0548f953ee63a573601b
AsyncRAT
4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425
AsyncRAT
529278edf5caa133d25e0a3ef7d138124529695f1d5a8a03aace868702ffcd64
AsyncRAT
84dbd6ec8da76543febdcadfd7021992b1b1f95ac11327517795b621a6b183d4
AsyncRAT
a36a3366706789363864b5c0b03b0c49ce72fea8d1c3150285d16a604edbc866
AsyncRAT
ab62ae9f4f7e797648fd4de6633357f704d4799f77844a0368a17ad21d2a2958
AsyncRAT
aed50a5da5a71dbee227b9de4c9ee68ec20e9814928b16fb231784c3d45ef4a2
AsyncRAT
e6f0283036672588e88f985e2b4bd4784bb3bab373ba07630d25b6779063f03c
AsyncRAT
f97868b93747008b2b67f509958fa5e7d3d380d384042ca655f9a6f77c610532
AsyncRAT
+ 2'789 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default persistence rat
Link:
https://tria.ge/reports/221014-h683gsdcf2/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Registers COM server for autorun
Async RAT payload
AsyncRat
Process spawned unexpected child process
Malware Config
C2 Extraction:
212.192.219.56:5612
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af6794ebbb7d1dd19893bb919c5881cb6d8c026afaf5931cae3c294e6baee7ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments