MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e
SHA3-384 hash: b13d435f77e94b52e7ce46903c247eabc082dee5c1be352a3f3469c8d12b3c0daf4e7c832a762c8330c3d997b8a25b9e
SHA1 hash: ed8eedc542e02a8ab749b02f161d39bb840a589c
MD5 hash: 4300caa42bd8fc0c7d9ce83b19c6f1f6
humanhash: north-sixteen-comet-winner
File name:system32.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:50'622 bytes
First seen:2023-01-10 08:49:36 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:WBqEwgF4HVzac6F8F2xqWa8VfXx0da57eezlV4R:1/gF41GLNxfa8VPuda57egQ
Threatray 2'794 similar samples on MalwareBazaar
TLSH T1B233E01077C2BD0C11D28BF7C816DA50ACEB9086664283DCF352109F4B656A5AEDEB7F
Reporter 0xToxin
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
system32.bat
Verdict:
Malicious activity
Analysis date:
2023-01-10 08:50:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/adf9789b-72d1-4fa9-bc1b-4e8d24af1b5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351434/
Detection(s):
Can't access file ERROR
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63bd26befc9525ae8a4524a0/reports/802c9f78-6f14-4b19-acc6-8d568ec33d85/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT, DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1148573
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Renames powershell.exe to bypass HIPS
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 781305 Sample: system32.bat Startdate: 10/01/2023 Architecture: WINDOWS Score: 100 97 pedro2021w.ddns.net 2->97 99 tools.keycdn.com 2->99 101 3 other IPs or domains 2->101 127 Snort IDS alert for network traffic 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 Antivirus detection for URL or domain 2->131 133 8 other signatures 2->133 15 cmd.exe 2 2->15         started        19 Ahtgrdcx.exe 2->19         started        21 Ahtgrdcx.exe 2->21         started        signatures3 process4 file5 95 C:\Users\user\Desktop\system32.bat.exe, PE32+ 15->95 dropped 115 Suspicious powershell command line found 15->115 117 Bypasses PowerShell execution policy 15->117 119 Adds a directory exclusion to Windows Defender 15->119 121 Renames powershell.exe to bypass HIPS 15->121 23 system32.bat.exe 2 19 15->23         started        28 conhost.exe 15->28         started        123 Machine Learning detection for dropped file 19->123 30 colorcpl.exe 19->30         started        signatures6 process7 dnsIp8 103 pedro2021w.ddns.net 154.12.250.38, 2404, 4782, 49695 COGENT-174US United States 23->103 83 C:\Users\user\AppData\Local\Temp\scnviz.exe, PE32 23->83 dropped 85 C:\Users\user\AppData\Local\Temp\dhrucx.bat, DOS 23->85 dropped 147 Tries to harvest and steal browser information (history, passwords, etc) 23->147 32 cmd.exe 1 23->32         started        35 cmd.exe 1 23->35         started        file9 signatures10 process11 signatures12 125 Suspicious powershell command line found 32->125 37 powershell.exe 10 32->37         started        39 conhost.exe 32->39         started        41 powershell.exe 10 35->41         started        43 conhost.exe 35->43         started        process13 process14 45 scnviz.exe 1 21 37->45         started        50 cmd.exe 1 41->50         started        dnsIp15 105 ymkcpq.dm.files.1drv.com 45->105 107 onedrive.live.com 45->107 109 dm-files.fe.1drv.com 45->109 87 C:\Users\Public\Libraries\netutils.dll, PE32+ 45->87 dropped 89 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 45->89 dropped 91 C:\Users\Public\Libraries\Ahtgrdcx.exe, PE32 45->91 dropped 93 C:\Users\Public\Libraries\Ahtgrdcx, data 45->93 dropped 149 Machine Learning detection for dropped file 45->149 151 Writes to foreign memory regions 45->151 153 Allocates memory in foreign processes 45->153 52 cmd.exe 3 45->52         started        55 iexpress.exe 45->55         started        57 conhost.exe 50->57         started        file16 signatures17 process18 signatures19 135 Uses ping.exe to sleep 52->135 137 Drops executables to the windows directory (C:\Windows) and starts them 52->137 139 Uses ping.exe to check the status of other devices and networks 52->139 59 easinvoker.exe 52->59         started        61 PING.EXE 52->61         started        64 xcopy.exe 2 52->64         started        67 6 other processes 52->67 process20 dnsIp21 69 cmd.exe 59->69         started        111 127.0.0.1 unknown unknown 61->111 113 192.168.2.1 unknown unknown 61->113 79 C:\Windows \System32\easinvoker.exe, PE32+ 64->79 dropped 81 C:\Windows \System32\netutils.dll, PE32+ 67->81 dropped file22 process23 signatures24 141 Suspicious powershell command line found 69->141 143 Adds a directory exclusion to Windows Defender 69->143 72 powershell.exe 69->72         started        75 conhost.exe 69->75         started        process25 signatures26 145 DLL side loading technique detected 72->145 77 conhost.exe 72->77         started        process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2mu2ezouabnszoeqfvqur726ir37eib3ylshnzi6lck7tpuzyu7a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0c46021aa8d5a1164ee93248ea12f42e05612006943fb9bf32d2d4fbd4a9dcbc
AsyncRAT
211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61
AsyncRAT
49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c
AsyncRAT
5084b2032e7376b0857d446a786c83b50d3fe6913a5dbfbe6bb4ad65751dbfac
AsyncRAT
80c1568ef979e0d9881fa33ee69c3f8c15caa924acd4df9e4c951a7047577caa
AsyncRAT
a44e7420e441548adddf0d79cc51e46211ebfa7dde08e5c95211eb3f95d0e570
AsyncRAT
b26760b051260ea435c5c32f8e65cd200034495db040e58da7b453b3d57132a5
AsyncRAT
f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990
AsyncRAT
+ 2'784 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:modiloader family:remcos botnet:remotehost persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230110-krksfsbc2t/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
ModiLoader Second Stage
AsyncRat
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
pedro2021w.ddns.net:2404
pedro2021w1.ddns.net:2404
pedro2021w2.ddns.net:2404
newspk.ddns.net:2404
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d329a265d400/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

Batch (bat) bat d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e

(this sample)

AsyncRAT

Executable exe f8b823dc5519d25ef2599725c25306171a8496069b1ba56cb854323ae98d10d1

Cape
Cape
https://www.capesandbox.com/analysis/351434/
  
Dropping
SHA256 f8b823dc5519d25ef2599725c25306171a8496069b1ba56cb854323ae98d10d1
  
Dropping
MD5 96c5351d38eb95ecc9bf606577a59314

Comments