MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcb1bbb6f69b880896f615b9ad613ad5f11bea4ddce31f5a18a0616cd600799a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 7

Intelligence 7 IOCs 1 YARA File information Comments

SHA256 hash:	dcb1bbb6f69b880896f615b9ad613ad5f11bea4ddce31f5a18a0616cd600799a
SHA3-384 hash:	294956842f80f8bdd6f3596e0499a6855c59709841d3340e067de3764a64d2f73503401612b5ad9f2017e3935c54e2ab
SHA1 hash:	6af67257401bd289c148424deee9ef53d6b55868
MD5 hash:	bfbe89c59762c5d8071a3cbdef890783
humanhash:	mississippi-violet-earth-magnesium
File name:	Billss-1873578583.vbs
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	7'772 bytes
First seen:	2021-09-21 18:25:42 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	192:2TjQxEFXNIFX0zREJXCIjX+ReEIX2IhXodN2cxVpN2cC:2Tj2
Threatray	1'456 similar samples on MalwareBazaar
TLSH	T1EDF12D2EE0A3D5514769C302CB98BE2C5C1D0889CA35B95CA5F76680AF30FA46A54F7F
Reporter	abuse_ch
Tags:	AsyncRAT RAT vbs

abuse_ch

AsyncRAT C2:
142.202.240.117:8808

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
142.202.240.117:8808	https://threatfox.abuse.ch/ioc/224511/

Intelligence

File Origin

# of uploads :

1

# of downloads :

427

Origin country :

n/a

Vendor Threat Intelligence

Detection:

asyncrat

Link:

https://www.capesandbox.com/analysis/189951/

Detection(s):

Vbs.Downloader.Agent-9893456-1

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/855127

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Found malware configuration

Sigma detected: CrackMapExec PowerShell Obfuscation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

VBScript performs obfuscated calls to suspicious functions

Very long command line found

Wscript starts Powershell (via cmd or directly)

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dcb1bbb6f69b880896f615b9ad613ad5f11bea4ddce31f5a18a0616cd600799a/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3sy3xnxwtoearfxwcw422yj22xyrx2sn3trr6wqyubqwzvqapgna._file

Verdict:

malicious

Label(s):

asyncrat

Similar samples:

0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d

16fc0cec13d88da3d0a36e4c42e733db8f1e21cafc18fd813a25cd0bc835f35a

220bb2b7deba41f53a8d86d677691aff283314a29c27cc49b2ba396699237825

438e8f8d626ca18bb5fbd3499cad058033b199c865badba6415e362d5b8dcd49

b51c07d9a4e50ac499514d378320260821bd7486acd1077a6bddf8ab70c6a2b3

bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de

ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611

ecb8839117d73d33390c84f7f6e02f4970156ccb2da7b48083922f60625fa8be

fee6cda76d8c5b289b76deba1176049e529f51ac06f817a8a22ec77b17d74f35

+ 1'446 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat rat

Link:

https://tria.ge/reports/210921-w277aaaca8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Blocklisted process makes network request

Async RAT payload

AsyncRat

Malware Config

Dropper Extraction:

https://cdn.discordapp.com/attachments/851105085270523917/889639428555956224/de.txt

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dcb1bbb6f69b880896f615b9ad613ad5f11bea4ddce31f5a18a0616cd600799a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/189951/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample