MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3850a52c492fd7be069cf02e5ca9da6bff3d30fa09b97aa3e9c79979f96d170. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3850a52c492fd7be069cf02e5ca9da6bff3d30fa09b97aa3e9c79979f96d170
SHA3-384 hash: 391014d06612bd5c33c5383de618835bebef9a129c5ff4d1b9aaf16d02db83c0b3334d48a321efa0c841c79af6b6ee56
SHA1 hash: 0b592f36e7f1561b5fab4925f37667be7aa1f5ee
MD5 hash: b65fc5e20e962cbeda85ef448d1fba8e
humanhash: thirteen-friend-music-two
File name:Cardlock_341121.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:61'206 bytes
First seen:2023-01-11 14:08:24 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:npuKFUvT3Hm6gFmMy9j8xC6aXdNBDh+7hGbU+0wFLY:npRUTBgFmzG0DBt+78bU+JFLY
Threatray 2'801 similar samples on MalwareBazaar
TLSH T1D653E08B80CB729D0AC4DC2F4DDFF56F6C8D3F90825617DA44CD666A52B6308448FCAA
Reporter 0xToxin
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cardlock_341121.bat
Verdict:
Malicious activity
Analysis date:
2023-01-11 14:11:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dc1fd9ce-f4ee-4ccb-b100-e6410a92641a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351959/
Detection(s):
Can't access file ERROR
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63bec2fea66e2eb297385704/reports/fcdde429-ae5c-4898-9fcc-d7beb1f6a846/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1149619
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Renames powershell.exe to bypass HIPS
Yara detected AsyncRAT
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 782351 Sample: Cardlock_341121.bat Startdate: 11/01/2023 Architecture: WINDOWS Score: 80 18 su1d.nerdpol.ovh 2->18 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus detection for URL or domain 2->24 26 Yara detected DcRat 2->26 28 2 other signatures 2->28 7 cmd.exe 2 2->7         started        signatures3 process4 file5 16 C:\Users\user\...\Cardlock_341121.bat.exe, PE32+ 7->16 dropped 30 Renames powershell.exe to bypass HIPS 7->30 11 Cardlock_341121.bat.exe 16 7->11         started        14 conhost.exe 7->14         started        signatures6 process7 dnsIp8 20 su1d.nerdpol.ovh 11->20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3850a52c492fd7be069cf02e5ca9da6bff3d30fa09b97aa3e9c79979f96d170/
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-01-09 12:18:06 UTC
File Type:
Text (Batch)
AV detection:
5 of 40 (12.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ocquuwesl6xxydjz4bolsu5u277huypucnzpkr6tr4zph4w2fya._file
Verdict:
malicious
Similar samples:
266aa1bf199f3bd82bc8e708c177aeef4808e31c439f87d69b68efb8e07da996
AsyncRAT
452025fa804107ed4d121a58ac4cf7d6c8e5e91c936c5245d0a215b948fc5f6d
AsyncRAT
49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c
AsyncRAT
5084b2032e7376b0857d446a786c83b50d3fe6913a5dbfbe6bb4ad65751dbfac
AsyncRAT
80c1568ef979e0d9881fa33ee69c3f8c15caa924acd4df9e4c951a7047577caa
AsyncRAT
a44e7420e441548adddf0d79cc51e46211ebfa7dde08e5c95211eb3f95d0e570
AsyncRAT
b26760b051260ea435c5c32f8e65cd200034495db040e58da7b453b3d57132a5
AsyncRAT
d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e
AsyncRAT
fa6422c2f12f6bd2e3e59e7e6492e7573124d131a811bd0a5368b6f1365f3916
AsyncRAT
+ 2'791 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230111-rf4vhsha81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3850a52c492fd7be069cf02e5ca9da6bff3d30fa09b97aa3e9c79979f96d170

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351959/

Comments