MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c14c3e28aeede2cb2c195601336f9f44a8549b0a4f473a278c3431f19a05b67d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c14c3e28aeede2cb2c195601336f9f44a8549b0a4f473a278c3431f19a05b67d
SHA3-384 hash: 9355fd06be30478643e1b6367188647e8552909ec0c1fae7adb7c5ba97603bc0abd6f86446e341b7c70a5567c6137a4a
SHA1 hash: 8d0f20c25160e8fc44da3b6a4204c9402e1137e9
MD5 hash: 8d515ce46e43cfd8efd1782ecebea585
humanhash: washington-uncle-leopard-connecticut
File name:Required-Document.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:13'166 bytes
First seen:2022-03-08 11:25:43 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:J0R/wjGAIgYk740R/wjGAHjNk740R/wjGA1Fzzzj2+sBzIMNu8dfYCP3KJGX6peq:2WOgbWBGWn1oA3Z2Wh
TLSH T19342480FD32256A691A8E1BFC5DE759D336414622EF71BF424977A1263678220CCB3B3
Reporter abuse_ch
Tags:AsyncRAT RAT vbs


Avatar
abuse_ch
AsyncRAT C2:
208.51.61.44:128

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
208.51.61.44:128 https://threatfox.abuse.ch/ioc/392933/

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248225/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.44176.26118.10926.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952476
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: Suspicius Schtasks From Env Var Folder
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 584956 Sample: Required-Document.vbs Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 9 other signatures 2->88 9 wscript.exe 1 2->9         started        12 SecurityHealth.exe 1 2->12         started        14 SecurityHealth.exe 1 2->14         started        16 4 other processes 2->16 process3 signatures4 100 VBScript performs obfuscated calls to suspicious functions 9->100 102 Wscript starts Powershell (via cmd or directly) 9->102 18 cmd.exe 1 9->18         started        21 powershell.exe 12->21         started        23 powershell.exe 14->23         started        25 powershell.exe 16->25         started        27 powershell.exe 16->27         started        29 powershell.exe 16->29         started        process5 signatures6 90 Wscript starts Powershell (via cmd or directly) 18->90 31 powershell.exe 14 22 18->31         started        36 conhost.exe 18->36         started        92 Writes to foreign memory regions 21->92 94 Injects a PE file into a foreign processes 21->94 38 conhost.exe 21->38         started        40 aspnet_compiler.exe 21->40         started        42 conhost.exe 23->42         started        44 aspnet_compiler.exe 23->44         started        46 2 other processes 25->46 48 2 other processes 27->48 50 2 other processes 29->50 process7 dnsIp8 72 34.105.85.231, 49766, 80 GOOGLEUS United States 31->72 62 C:\Users\user\AppData\...\SecurityHealth.exe, PE32+ 31->62 dropped 64 C:\Users\Public\Music\SecurityHealth.exe, PE32+ 31->64 dropped 66 C:\Users\Public\Music\Untitled.ps1, ASCII 31->66 dropped 68 C:\Users\...\SecurityHealth.exe.manifest, exported 31->68 dropped 74 Suspicious powershell command line found 31->74 76 Drops PE files to the startup folder 31->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 31->78 80 Powershell drops PE file 31->80 52 powershell.exe 14 31->52         started        55 schtasks.exe 1 31->55         started        57 attrib.exe 1 31->57         started        file9 signatures10 process11 signatures12 96 Writes to foreign memory regions 52->96 98 Injects a PE file into a foreign processes 52->98 59 aspnet_compiler.exe 2 52->59         started        process13 dnsIp14 70 help-microsoft.dnslive.net 208.51.61.44, 128, 49771 NETRANGEUS United States 59->70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c14c3e28aeede2cb2c195601336f9f44a8549b0a4f473a278c3431f19a05b67d/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 11:26:12 UTC
File Type:
Binary
AV detection:
8 of 42 (19.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfgd4kfo5xrmwlazkyatg347isufjgykj5dtuj4mgqy7dgqfwz6q._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat suricata
Link:
https://tria.ge/reports/220308-njwfrshbal/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
Dropper Extraction:
http://34.105.85.231/New/Testavast+denf.txt
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c14c3e28aeed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c14c3e28aeede2cb2c195601336f9f44a8549b0a4f473a278c3431f19a05b67d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248225/

Comments