MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d902c2a2c8bac223c0505356db5c08697ff3cad76eb1a281a9cf3da7d662d0a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d902c2a2c8bac223c0505356db5c08697ff3cad76eb1a281a9cf3da7d662d0a9
SHA3-384 hash: 118d1ea1602acfbc18b74b6a90878f164ab0b917771c6f12e04f5d7ee8e371b713379f0b53922cf099e2a2ebbf2822d7
SHA1 hash: d84d00d8ff1dd3fb6703a9c1a15abfee43416373
MD5 hash: 402434e32ab52c8ba471e80b1a6ecd93
humanhash: cola-kitten-july-delaware
File name:thwit.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:965 bytes
First seen:2023-08-20 21:28:12 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24:ppzHO3I8BC8YdD69hsD6S7LuE586N+Lw1PKC2Got:ppCI8BCXwelqY1P30t
Threatray 2'668 similar samples on MalwareBazaar
TLSH T1B81194080208A3BF07F6C46FC188C11BDA39B189A337C88230A4E744F50478CD6A9B22
Reporter ULTRAFRAUD
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
AT AT
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
thwit.bat
Verdict:
Malicious activity
Analysis date:
2023-08-20 21:30:24 UTC
Tags:
loader asyncrat
Link:
https://app.any.run/tasks/173527e3-973e-49ae-81c4-530812757be4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443855/
Detection(s):
SecuriteInfo.com.Generic.PWSH.Downloader.D.FEA4CDEE.1143.10380.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
PWSH.Downloader.D.Generic
Link:
https://www.hybrid-analysis.com/sample/d902c2a2c8bac223c0505356db5c08697ff3cad76eb1a281a9cf3da7d662d0a9
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1294187
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Schedule system process
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to download and execute files (via powershell)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1294187 Sample: thwit.bat Startdate: 20/08/2023 Architecture: WINDOWS Score: 100 52 thwit.ddns.net 2->52 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 5 other signatures 2->72 10 cmd.exe 2->10         started        signatures3 process4 signatures5 82 Suspicious powershell command line found 10->82 84 Tries to download and execute files (via powershell) 10->84 86 Bypasses PowerShell execution policy 10->86 88 2 other signatures 10->88 13 powershell.exe 12 10->13         started        15 powershell.exe 18 10->15         started        18 powershell.exe 14 15 10->18         started        22 3 other processes 10->22 process6 dnsIp7 24 dcr3.exe 7 13->24         started        90 Found suspicious powershell code related to unpacking or dynamic code loading 15->90 92 Powershell drops PE file 15->92 54 thwit.ddns.net 129.213.49.94, 49757, 49777, 49782 ORACLE-BMC-31898US United States 18->54 56 7l.ddns.net 18->56 44 C:\tmp\dcr3.exe, PE32 18->44 dropped file8 signatures9 process10 file11 46 C:\tmp\svchost.exe, PE32 24->46 dropped 74 Antivirus detection for dropped file 24->74 76 Multi AV Scanner detection for dropped file 24->76 78 Machine Learning detection for dropped file 24->78 80 Drops PE files with benign system names 24->80 28 cmd.exe 1 24->28         started        30 cmd.exe 1 24->30         started        signatures12 process13 process14 32 svchost.exe 2 28->32         started        36 conhost.exe 28->36         started        38 timeout.exe 1 28->38         started        40 conhost.exe 30->40         started        42 schtasks.exe 1 30->42         started        dnsIp15 48 127.0.0.1 unknown unknown 32->48 50 thwit.ddns.net 32->50 58 Antivirus detection for dropped file 32->58 60 System process connects to network (likely due to code injection or exploit) 32->60 62 Multi AV Scanner detection for dropped file 32->62 64 Machine Learning detection for dropped file 32->64 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d902c2a2c8bac223c0505356db5c08697ff3cad76eb1a281a9cf3da7d662d0a9/
Threat name:
Script-PowerShell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-08-20 21:29:05 UTC
File Type:
Text (Batch)
AV detection:
3 of 38 (7.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ebmfiwixlbchqcqknlnwxainf77hswxn2y2fanjz462pvtc2cuq._file
Verdict:
malicious
Similar samples:
47749f50fc106280a9d25643ad73d1708610fcf61c1b83ecbfe8c64c86e340ef
AsyncRAT
4e7105da7face5917f66842ba73810d29826cb971140f9da2b0efb7a37de3c0e
AsyncRAT
61be8cdec38d60d5a8a64fd0f891656f0410825d7c1181d7f40eb6aaf56d3521
AsyncRAT
95a0a3662521617e193e1a64160490860af2b3ef0c9dc6d9caeae82e8b75df67
AsyncRAT
974fa2c6aa2c4fc4215ddae9419bb042214ffb5638eb6165db7f3afbd1e1144c
AsyncRAT
b090e91734b2b0159a3c73193665c461c57f46d8d10e9a01f662149b98c228db
AsyncRAT
b31c082dea750e9be6e1cf866efaef2c129e836c5db54198089a8745c79a4569
AsyncRAT
d447242a078661aa69c652929cbedbc1896b135aa50ed27427ea8c7e4d4a71be
AsyncRAT
e9862583e03d49e791f0aaabb974ba4054cea75a57fec9660b59dd3342cd65de
AsyncRAT
+ 2'658 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default evasion rat
Link:
https://tria.ge/reports/230820-1bwg1she32/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Sets file to hidden
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
127.0.0.1:8848
127.0.0.1:8858
127.0.0.1:8989
thwit.ddns.net:8848
thwit.ddns.net:8858
thwit.ddns.net:8989
Dropper Extraction:
http://7l.ddns.net:8888/dcr3.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d902c2a2c8bac223c0505356db5c08697ff3cad76eb1a281a9cf3da7d662d0a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Batch (bat) bat d902c2a2c8bac223c0505356db5c08697ff3cad76eb1a281a9cf3da7d662d0a9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/443855/
  
URLhaus
https://urlhaus.abuse.ch/url/2705846/
  
Delivery method
Distributed via web download

Comments