MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd91b0fbaabf19d178f3a221c517418378913af82ca88856a07cbf0df506f117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd91b0fbaabf19d178f3a221c517418378913af82ca88856a07cbf0df506f117
SHA3-384 hash: bb0e2ea74854952c9f119376d4d2cf7d3df0f5729b11f3b614e8c28189860e06d196e45270ec9c557294f06bb77d1689
SHA1 hash: 3c8b0e6846d0617fbb81d380b6ca61a3086afc96
MD5 hash: 0cdb083484d5e41ff9ae88c03dbb5c20
humanhash: skylark-blue-kilo-lithium
File name:order-invoice-amazon-#D01-9237793-8041853.DOCX.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:444 bytes
First seen:2021-04-08 08:46:54 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:WhQDlh4nHzbc/SGW7biSRMGgDgdz1efPW5PaJUAF8:WE8H3c/sqgMdD4sf6aKAq
Threatray 4 similar samples on MalwareBazaar
TLSH F2F05C65900C01E3410AFA4693D150B5C9665A5F01D0F3805442D5BAE67B27C9E179A2
Reporter abuse_ch
Tags:AsyncRAT Charter vbs


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: impout009.msg.chrl.nc.charter.net
Sending IP: 47.43.20.33
From: Amazon.com <tamhes@charter.net>
Subject: Your Amazon.com order #D01-9237793-8041853
Attachment: order-invoice-amazon-D01-9237793-8041853.DOCX.iso (contains "order-invoice-amazon-#D01-9237793-8041853.DOCX.vbs")

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133122/
Detection(s):
SecuriteInfo.com.ISB.Downloadergen76.11158.1920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/669969
Signature
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected MSILLoadEncryptedAssembly
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd91b0fbaabf19d178f3a221c517418378913af82ca88856a07cbf0df506f117/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwi3b65kx4m5c6htuiq4kf2bqn4jcoxyfsuiqvvaps7q35ig6elq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0294e5e38373123aacb7dc64aef0e353277e1f11edb3ff6f711e0080e5e6516c
AsyncRAT
70da4cb906561579f992801bfce2c3f1daf01833b292a9bd04545b7e0ee49fbd
AsyncRAT
713984a9d714e58c92b1338df4c54b55da27753d18c09d6a45427fd85c145454
AsyncRAT
777a1b5eb79e751f4684f825ef2a5df80433a2d4e20f921d4f747e904793f3d2
AsyncRAT
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210408-vleqrcrhrx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
xaft.camdvr.org:6606
xaft.camdvr.org:7707
xaft.camdvr.org:8808
ms4747.loseyourip.com:6606
ms4747.loseyourip.com:7707
ms4747.loseyourip.com:8808
Dropper Extraction:
https://cdn.discordapp.com/attachments/829557364016283679/829557904050487306/Eset.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd91b0fbaabf19d178f3a221c517418378913af82ca88856a07cbf0df506f117

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

iso 2ce1829e18c3e38344bd6493db7a9bac7e3c9b49b8617c06d948b410dba31afe

AsyncRAT

Visual Basic Script (vbs) vbs cd91b0fbaabf19d178f3a221c517418378913af82ca88856a07cbf0df506f117

(this sample)

  
Dropped by
MD5 9349d3f015a6ad0321b2f975d2987e1b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133122/
  
Dropped by
SHA256 2ce1829e18c3e38344bd6493db7a9bac7e3c9b49b8617c06d948b410dba31afe

Comments