MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2564c31effd83cb6893a5cf3e100a6fc7ca8f19e8671bceeae2b1604fc93c84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2564c31effd83cb6893a5cf3e100a6fc7ca8f19e8671bceeae2b1604fc93c84
SHA3-384 hash: 5c846b70e26d77fcdb08916d0e9a5345473eec2a6b375e2db395b9f47014cfcdc0471c69284d77fb51147a327cd76118
SHA1 hash: 40f31b18c53d5493a55f1b102dd9baf8a377fbc0
MD5 hash: 49a627d0ea30ba33304811dc4fb7a7d5
humanhash: seventeen-ten-september-uniform
File name:Curriculum VItae - Copy (2).vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:81'684 bytes
First seen:2025-05-11 15:59:55 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:otDa3LRV0ubIGkikGkFjGkikGkKEt0eEKU+kCKGWGPrbrbTDDpOAWGPrbrbTDDpj:wDwVJy
Threatray 1'564 similar samples on MalwareBazaar
TLSH T1EC835A52ABEA2108B1F6BB88593A05344F277CC96C7DC55E05CC6A4D1BF3EC4D860BA7
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika mp3
Reporter smica83
Tags:AsnycRAT AsyncRAT aula01-ddns-net aula012-accesscam-org bart2025-duckdns-org vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6820cb714a59e5a2ce03ae70
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6820c984d95f3e34e9665b4e/reports/733a8fd2-ae4e-403c-ad44-31ba80365466/overview
Verdict:
Malicious
Labled as:
HEUR_Trojan_VBS_Alien_gen
Link:
https://www.hybrid-analysis.com/sample/b2564c31effd83cb6893a5cf3e100a6fc7ca8f19e8671bceeae2b1604fc93c84
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1687259
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1687259 Sample: Curriculum VItae - Copy (2).vbs Startdate: 11/05/2025 Architecture: WINDOWS Score: 100 33 bart2025.duckdns.org 2->33 35 aula01.ddns.net 2->35 37 9 other IPs or domains 2->37 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 57 19 other signatures 2->57 9 wscript.exe 3 2 2->9         started        signatures3 55 Uses dynamic DNS services 35->55 process4 file5 31 C:\Users\user\AppData\...\script_94121.vbs, Unicode 9->31 dropped 67 VBScript performs obfuscated calls to suspicious functions 9->67 69 Suspicious powershell command line found 9->69 71 Wscript starts Powershell (via cmd or directly) 9->71 73 3 other signatures 9->73 13 wscript.exe 1 9->13         started        16 cmd.exe 1 9->16         started        signatures6 process7 signatures8 75 Suspicious powershell command line found 13->75 77 Wscript starts Powershell (via cmd or directly) 13->77 18 powershell.exe 14 15 13->18         started        22 curl.exe 1 16->22         started        24 conhost.exe 16->24         started        process9 dnsIp10 39 dn721808.ca.archive.org 204.62.247.90, 443, 49723 COGENT-174US United States 18->39 41 archive.org 207.241.224.2, 443, 49722 INTERNET-ARCHIVEUS United States 18->41 59 Found Tor onion address 18->59 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->61 63 Writes to foreign memory regions 18->63 65 Injects a PE file into a foreign processes 18->65 26 MSBuild.exe 2 18->26         started        29 conhost.exe 18->29         started        43 127.0.0.1 unknown unknown 22->43 45 paste.ee 23.186.113.60, 443, 49718, 49724 KLAYER-GLOBALNL Reserved 22->45 signatures11 process12 dnsIp13 47 bart2025.duckdns.org 128.90.122.175, 49731, 5155 PHMGMT-AS1US United States 26->47
Score:
69%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/b2564c31effd83cb6893a5cf3e100a6fc7ca8f19e8671bceeae2b1604fc93c84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2564c31effd83cb6893a5cf3e100a6fc7ca8f19e8671bceeae2b1604fc93c84/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-10 23:15:06 UTC
File Type:
Text (VBS)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjleympp7wb4w2etuxht4eakn7d4vdyz5btrxtxk4kywat6jhsca._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
35c73c6c8bed8697de74b1509caf030fae69fb856edefc47342adde573da928c
AsyncRAT
6bb2386101837fd4e8a32018f2d8ec5bbd646bef9a5513783f782fe2ae1ff3e0
AsyncRAT
9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2
AsyncRAT
adc29eb24db484b14101ce4ab0e8eeda1586009dd65f980e596c8fa45703678c
AsyncRAT
bdd678604bbefecbc2b54dfd55b1cd677e151bf1e5ee59ab2860363c27d73d16
AsyncRAT
error
AsyncRAT
fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686
AsyncRAT
+ 1'554 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:testando2 discovery execution rat
Link:
https://tria.ge/reports/250511-tfrw3aej81/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:5536
127.0.0.1:5155
127.0.0.1:2020
127.0.0.1:2021
aula01.ddns.net:6606
aula01.ddns.net:7707
aula01.ddns.net:8808
aula01.ddns.net:5536
aula01.ddns.net:5155
aula01.ddns.net:2020
aula01.ddns.net:2021
bart2025.duckdns.org:6606
bart2025.duckdns.org:7707
bart2025.duckdns.org:8808
bart2025.duckdns.org:5536
bart2025.duckdns.org:5155
bart2025.duckdns.org:2020
bart2025.duckdns.org:2021
aula012.accesscam.org:6606
aula012.accesscam.org:7707
aula012.accesscam.org:8808
aula012.accesscam.org:5536
aula012.accesscam.org:5155
aula012.accesscam.org:2020
aula012.accesscam.org:2021
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/b2564c31effd83cb6893a5cf3e100a6fc7ca8f19e8671bceeae2b1604fc93c84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments