MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdd4ab01797a178b70303381028cb419a8550a15fa75bdb40f6d56bc289b7dcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdd4ab01797a178b70303381028cb419a8550a15fa75bdb40f6d56bc289b7dcf
SHA3-384 hash: 8c21ac1a8b0f47368b3e88e94ee47ba3b54261e6a591751f3cf8a088055ad58ff987ece28a41704c0a109f5139912214
SHA1 hash: bb0c2774e0bae878e86fed4e914db9ffff306361
MD5 hash: 95db775b2006533ec4a464e90c615c80
humanhash: connecticut-speaker-indigo-michigan
File name:Document-Required.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:49'225 bytes
First seen:2022-03-08 03:59:15 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:xuBcm9KKt7Db6o7dLGRtQFf7D7FwPm1swscg7Btr:l
Threatray 3'288 similar samples on MalwareBazaar
TLSH T10323D3D5872895FC77FCDC0A8FFAA90D2400852E8C737846DE8A007951B8867B9F657E
Reporter ankit_anubhav
Tags:AsyncRAT vbs

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
208.51.61.44:128 https://threatfox.abuse.ch/ioc/392933/

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248072/
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.6166.5163.17602.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952087
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicius Schtasks From Env Var Folder
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 584568 Sample: Document-Required.vbs Startdate: 07/03/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 11 other signatures 2->56 9 wscript.exe 1 2->9         started        12 SecurityHealth.exe 1 2->12         started        process3 signatures4 66 VBScript performs obfuscated calls to suspicious functions 9->66 68 Wscript starts Powershell (via cmd or directly) 9->68 14 cmd.exe 1 9->14         started        17 powershell.exe 12 12->17         started        process5 signatures6 74 Wscript starts Powershell (via cmd or directly) 14->74 19 powershell.exe 14 23 14->19         started        24 conhost.exe 14->24         started        26 conhost.exe 17->26         started        process7 dnsIp8 46 34.105.85.231, 49779, 80 GOOGLEUS United States 19->46 38 C:\Users\user\AppData\...\SecurityHealth.exe, PE32+ 19->38 dropped 40 C:\Users\Public\Music\SecurityHealth.exe, PE32+ 19->40 dropped 42 C:\Users\Public\Music\Untitled.ps1, ASCII 19->42 dropped 44 C:\Users\...\SecurityHealth.exe.manifest, exported 19->44 dropped 58 Suspicious powershell command line found 19->58 60 Drops PE files to the startup folder 19->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 19->62 64 Powershell drops PE file 19->64 28 powershell.exe 14 19->28         started        31 schtasks.exe 1 19->31         started        33 attrib.exe 1 19->33         started        file9 signatures10 process11 signatures12 70 Writes to foreign memory regions 28->70 72 Injects a PE file into a foreign processes 28->72 35 aspnet_compiler.exe 2 28->35         started        process13 dnsIp14 48 help-microsoft.dnslive.net 208.51.61.44, 128, 49782 NETRANGEUS United States 35->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdd4ab01797a178b70303381028cb419a8550a15fa75bdb40f6d56bc289b7dcf/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 04:00:11 UTC
File Type:
Text (VBS)
AV detection:
7 of 42 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxkkwalzpilyw4bqgoaqfdfudgufkcqv7j233napnvllyke3pxhq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
AsyncRAT
238c224cf8d0b76532ae16f8a8d2682436a176909f382b8747e418f42ccaedeb
AsyncRAT
4da864854d368ab640245f8174d247e0b9947045712d2d7449e25e7074b8587c
AsyncRAT
590e531489556cfb9de022bc52bce2489c3609e693209c59fdce5698c6fc0be3
AsyncRAT
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
AsyncRAT
8c6cf25734d89865f9aaa5dea926d6dcb66558ac0493248237c36474b1d3bd0e
AsyncRAT
c7181c0275bdf5c7dee5fb920aec9bbbd89842f32621a8b9efcf845cba2a74fd
AsyncRAT
e1c8fbc6931af31a8c7d8a8a85792c44906728db795ca6df3f2d626c760c43b6
AsyncRAT
f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb
AsyncRAT
fc64e7337e23dc861c4b4a4bbe26189cb388add1ed27198779c701e6ab1cc2b6
AsyncRAT
+ 3'278 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/220308-ekpj6sbga8/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
Dropper Extraction:
http://34.105.85.231/New/Testavast+denf.txt
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cdd4ab01797a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdd4ab01797a178b70303381028cb419a8550a15fa75bdb40f6d56bc289b7dcf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Visual Basic Script (vbs) vbs cdd4ab01797a178b70303381028cb419a8550a15fa75bdb40f6d56bc289b7dcf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/248072/

Comments