MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3d1d312b9fb579640acad50a9591b7876c75e9dbf9df4d9f9a33575ed659173. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3d1d312b9fb579640acad50a9591b7876c75e9dbf9df4d9f9a33575ed659173
SHA3-384 hash: c153fb5b1a9aa9b6b539b2cc11101ab677b63764603bfd2e2409aee1efaea2ed55ceaa38d5bea8d674ad5c0c2694f051
SHA1 hash: 9b1bd0ef29dbc70879afd22d27f38abdad6cfb4e
MD5 hash: b5a86443a6f683b275a06edb2ca79e86
humanhash: cardinal-mango-louisiana-kentucky
File name:Invoice.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:50'730 bytes
First seen:2023-02-03 11:14:45 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:PirsqeqGdIY/GlpGO7/gr7/WiNIdU8nT3vAmj:19qrnLgHp0UUT3Yq
Threatray 3'368 similar samples on MalwareBazaar
TLSH T11533F1587FF8FD6E42AD5FCAC11A9B4A528CB456536243F3AD9827080D327301DD4EDA
Reporter madjack_red
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.bat
Verdict:
Malicious activity
Analysis date:
2023-02-03 11:15:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e5e98603-b82d-4898-b0ee-10c4b91541cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/359850/
Detection(s):
Txt.Downloader.OneNoteBAT-9986016-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63dcecb8905a5ac3b909631b/reports/da4ba3f9-223a-4e22-b9b5-52390fe9c022/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b3d1d312b9fb579640acad50a9591b7876c75e9dbf9df4d9f9a33575ed659173
Result
Verdict:
MALICIOUS
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1165021
Signature
Bypasses PowerShell execution policy
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Renames powershell.exe to bypass HIPS
Snort IDS alert for network traffic
Suspicious powershell command line found
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 797792 Sample: Invoice.bat Startdate: 03/02/2023 Architecture: WINDOWS Score: 88 54 mulla3.hopto.org 2->54 56 tools.keycdn.com 2->56 58 2 other IPs or domains 2->58 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 2 other signatures 2->72 11 cmd.exe 2 2->11         started        signatures3 process4 file5 52 C:\Users\user\Desktop\Invoice.bat.exe, PE32+ 11->52 dropped 78 Suspicious powershell command line found 11->78 80 Bypasses PowerShell execution policy 11->80 82 Renames powershell.exe to bypass HIPS 11->82 15 Invoice.bat.exe 1 19 11->15         started        19 conhost.exe 11->19         started        signatures6 process7 dnsIp8 60 mulla2022.hopto.org 104.168.152.36, 49696, 49698, 49699 HOSTWINDSUS United States 15->60 62 mulla2.mywire.org 15->62 64 mulla1.mywire.org 15->64 46 C:\Users\user\AppData\Local\Temp\gkpnoa.bat, DOS 15->46 dropped 48 C:\Users\user\AppData\Local\Temp\exqzzb.bat, DOS 15->48 dropped 21 cmd.exe 1 15->21         started        24 cmd.exe 1 15->24         started        file9 process10 signatures11 76 Suspicious powershell command line found 21->76 26 powershell.exe 10 21->26         started        28 conhost.exe 21->28         started        30 powershell.exe 10 24->30         started        32 conhost.exe 24->32         started        process12 process13 34 cmd.exe 2 26->34         started        38 cmd.exe 1 30->38         started        file14 50 C:\Users\user\AppData\...\exqzzb.bat.exe, PE32+ 34->50 dropped 74 Renames powershell.exe to bypass HIPS 34->74 40 exqzzb.bat.exe 1 34->40         started        42 conhost.exe 34->42         started        44 conhost.exe 38->44         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3d1d312b9fb579640acad50a9591b7876c75e9dbf9df4d9f9a33575ed659173/
Threat name:
Script-BAT.Downloader.ONDlder
Create hunting rule
Status:
Malicious
First seen:
2023-02-02 02:51:59 UTC
File Type:
Text (Batch)
AV detection:
4 of 39 (10.26%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpi5gevz7nlzmqfmvvikswi3pb3moxu5x6o7jwpzum2xl3lfsfzq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
00f832dff9d82b0bc27bec58514839917cd175a11759488be8479e7e690311d3
AsyncRAT
2c8f198acf863de41f5d048234825676801e03532d0d1c07fcd3c1ded96ea13b
AsyncRAT
80c1568ef979e0d9881fa33ee69c3f8c15caa924acd4df9e4c951a7047577caa
AsyncRAT
a44e7420e441548adddf0d79cc51e46211ebfa7dde08e5c95211eb3f95d0e570
AsyncRAT
d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e
AsyncRAT
fa6422c2f12f6bd2e3e59e7e6492e7573124d131a811bd0a5368b6f1365f3916
AsyncRAT
+ 3'358 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/230203-nckqpaac31/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Installed Components in the registry
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3d1d312b9fb579640acad50a9591b7876c75e9dbf9df4d9f9a33575ed659173

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/359850/

Comments