MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdcaf31f882353b75031d1d7353085ff529612bec3a62e462fa3086d2a79bb85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	bdcaf31f882353b75031d1d7353085ff529612bec3a62e462fa3086d2a79bb85
SHA3-384 hash:	2b73ab9ee5bb9fc83080b9ee0c7ba09642a13833a0e5244f695e6a1aa520401fe4577e375073a0a5a9795265f4e96e41
SHA1 hash:	1cb0b1c6657437a1e37546e62c660456e7355cde
MD5 hash:	6ada9636b309c11e3c93f425ab32a473
humanhash:	steak-blue-ink-mars
File name:	Waybill.vbs
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	504 bytes
First seen:	2021-10-29 05:11:44 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	12:TaVLMUVb9wCJhIgmVeljehfMWUBAzdqsH3wbhCXg0TC:mV4UvXrp+fMWPnwoQcC
Threatray	163 similar samples on MalwareBazaar
TLSH	T1B1F0220FF42BEAD70A217A53F0E6A13D853440C207A0CA7C8127438D4B214753E291BE
Reporter	abuse_ch
Tags:	AsyncRAT vbs

Intelligence

File Origin

# of uploads :

1

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Agent.FOZQ.4189.30763.UNOFFICIAL

Result

Verdict:

MALICIOUS

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/879126

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious PowerShell Command Line

Uses dynamic DNS services

VBScript performs obfuscated calls to suspicious functions

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bdcaf31f882353b75031d1d7353085ff529612bec3a62e462fa3086d2a79bb85/

Threat name:

Script-WScript.Downloader.Powdow

Status:

Malicious

First seen:

2021-10-29 05:12:11 UTC

AV detection:

10 of 44 (22.73%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xxfpgh4ienj3oubr2hltkmef75jjmev6yotc4rrpumeg2ktzxocq._file

Verdict:

malicious

Label(s):

asyncrat

Similar samples:

043624c213f4575f22c66f72f20dd68a1126363beefd8d1c7c5c0d82a5a556ce

3959233284f7f4a7bec2a314820e3b8e073591a31dfe8c43a03f7a24833b7fd3

3fc706ce01f2ff41e02943699351d1ad3c32160cbd0be0b8bb85f9472303d4c2

6d392e6956913772c10d49c5a64933b5bbc17d66a8ce02e5ed6716141af438ed

96fa5508157c3e0b18ccaa02417198c62816e549791997efd29dbcb8801e0db0

a341b8f10a51457c11292173cfa48fe49256c9ccef8ec045753b49b2bfa935d6

c3f8019ba1f837f109cf75b3aeb84e79900030e8f098302490dd7bca4d2345b0

caf35ea9298dd671604af5920dccb89362fee4a67b24f8bfe73e12ceedc91504

eb30ab0173d9def4895227fbc1f82c21bbd7af6209d268a483c57e5ee04926b3

+ 153 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:dapol rat

Link:

https://tria.ge/reports/211029-fvwxnshchn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Blocklisted process makes network request

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

yuri101.duckdns.org:4021

Dropper Extraction:

http://52.150.26.35/bypass.txt

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bdcaf31f882353b75031d1d7353085ff529612bec3a62e462fa3086d2a79bb85

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample