MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d15606f8f0ae00181c9578fb60f7126911807aa75f2c0c22526655e5042f8c64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d15606f8f0ae00181c9578fb60f7126911807aa75f2c0c22526655e5042f8c64
SHA3-384 hash: 867247a9710c55241aae60111a25ff1c58e36324540369f319d991042fc8506a2949b77a6c0d02511539ea74645da4fd
SHA1 hash: 568db53cdcc52260aec39a4b844cb65f6c9505e1
MD5 hash: 5d1548c7e85f0d9711801749e7c89b95
humanhash: enemy-undress-bakerloo-five
File name:q.jpg
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:159'348 bytes
First seen:2023-06-26 15:32:21 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:C9qzRZo/6WhtVxFBXahLLswsQprieftT2LuppVc7dtcRTuom1GwTesrkdhfes/bH:CSdiLuyozm1GjomD315J3Apyf+QIg
TLSH T105F39BB8B59B85D4F54B9885367CFEA1013231F39ACD1F610338A6048FE9EE92F4558E
Reporter malwarology
Tags:AsyncRAT ps1 RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Dropper-13.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26618.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
javascript masquerade powershell
Link:
https://www.filescan.io/uploads/6499afafee55f1e1b4b59b94/reports/3c7cd4c6-57c6-453d-b3f1-da1cef1a3f01/overview
Verdict:
Malicious
Labled as:
PowerShell/Runner.BG trojan
Link:
https://www.hybrid-analysis.com/sample/d15606f8f0ae00181c9578fb60f7126911807aa75f2c0c22526655e5042f8c64
Result
Verdict:
SUSPICIOUS
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1261634
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 894654 Sample: q.jpg.ps1 Startdate: 26/06/2023 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 7 other signatures 2->52 9 wscript.exe 1 2->9         started        13 powershell.exe 27 2->13         started        16 wscript.exe 2->16         started        process3 dnsIp4 44 192.168.2.1 unknown unknown 9->44 58 Wscript starts Powershell (via cmd or directly) 9->58 18 cmd.exe 1 9->18         started        36 C:\ProgramData\isbl\kzmp.ps1, ASCII 13->36 dropped 38 C:\ProgramData\isbl\isbl.vbs, ASCII 13->38 dropped 40 C:\ProgramData\isbl\1.bat, ASCII 13->40 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 13->60 21 conhost.exe 13->21         started        23 schtasks.exe 1 13->23         started        file5 signatures6 process7 signatures8 54 Wscript starts Powershell (via cmd or directly) 18->54 25 cmd.exe 1 18->25         started        28 conhost.exe 18->28         started        process9 signatures10 56 Wscript starts Powershell (via cmd or directly) 25->56 30 powershell.exe 7 25->30         started        process11 signatures12 62 Writes to foreign memory regions 30->62 64 Injects a PE file into a foreign processes 30->64 33 RegSvcs.exe 2 30->33         started        process13 dnsIp14 42 xsme.loseyourip.com 45.141.215.109, 49697, 6606 SPECTRAIPSpectraIPBVNL Netherlands 33->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d15606f8f0ae00181c9578fb60f7126911807aa75f2c0c22526655e5042f8c64/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2flan6hqvyabqhevpd5wb5ysneiya6vhl4wayissmzk6kbbprrsa._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/230626-wr1pfsbc69/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
xsme.loseyourip.com:6606
xsme.loseyourip.com:7707
xsme.loseyourip.com:8808
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d15606f8f0ae00181c9578fb60f7126911807aa75f2c0c22526655e5042f8c64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

iso 3711c75b9fd2cb121c3e432981397906ebc40558217c98ab59a7b0d263e05db3

AsyncRAT

d0a272f7a978dd2053fb013dfdd240b42684de1ed823c2eca0ac2f7ae8ab2296

AsyncRAT

PowerShell (PS) ps1 d15606f8f0ae00181c9578fb60f7126911807aa75f2c0c22526655e5042f8c64

(this sample)

AsyncRAT

Executable exe 039f16edf59d8d1ea14cfaa9ef0e47bd5f4788fa7b565c7d2089cf9f374d22f8

  
URLhaus
http://45.141.215.109:555/q.jpg
anyrun
any.run
https://app.any.run/tasks/622e3827-56c8-40d1-b772-00a0ee430ced
  
Dropped by
SHA256 d0a272f7a978dd2053fb013dfdd240b42684de1ed823c2eca0ac2f7ae8ab2296
  
Dropping
SHA256 039f16edf59d8d1ea14cfaa9ef0e47bd5f4788fa7b565c7d2089cf9f374d22f8
  
URLhaus
https://urlhaus.abuse.ch/url/2672269/
  
Delivery method
Distributed via web download
  
Dropping
MD5 333b9c314d77d8322c988f858d5592fa
  
Dropped by
MD5 8ad2820db5cc47eb6c653623174703c4

Comments