MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df22c1bf851be9c64682e7838b6b88358c64a9e3fd6e8ad305f7303d06660323. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df22c1bf851be9c64682e7838b6b88358c64a9e3fd6e8ad305f7303d06660323
SHA3-384 hash: 7207af72714ac68fa7a46adf182585cfea7e731b6d99a60c40acee72a42864f227caa4b579797846c6093f74048ac576
SHA1 hash: 664d48c7c188a5085fde5a50842f63f5f2191bfe
MD5 hash: 151b7fe444af5423ad79c0c83558b402
humanhash: delta-yellow-item-salami
File name:dwm.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:438'415 bytes
First seen:2025-01-30 08:10:17 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 12288:O3WghT6onokzHxgSVW0U/cBGnciS8mJa4Ce:4hT5i9/cBGhFmJaze
TLSH T1F19412334FA9A9DAA164822E74A2FE1C27585DD0C824D80D17F879CFB5CC909CA3F8D5
Magika txt
Reporter JAMESWT_WT
Tags:0x0-st AsyncRAT bat pureeratee-duckdns-org

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
dwm.bat
Verdict:
Malicious activity
Analysis date:
2025-01-30 08:14:32 UTC
Tags:
susp-powershell stealer rat asyncrat remote fody
Link:
https://app.any.run/tasks/c57d8efa-f6d0-4e32-bc08-432a06062baa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679b34e729ae628cf42b7153
Tags:
obfuscate shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint obfuscated powershell
Link:
https://www.filescan.io/uploads/679b3417414c56eb9502936b/reports/6a332476-7ee5-4867-b330-c451e2c9e746/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/df22c1bf851be9c64682e7838b6b88358c64a9e3fd6e8ad305f7303d06660323
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1602814
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1602814 Sample: dwm.bat Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 129 pureeratee.duckdns.org 2->129 131 0x0.st 2->131 137 Sigma detected: Register Wscript In Run Key 2->137 139 Suricata IDS alerts for network traffic 2->139 141 Malicious sample detected (through community Yara rule) 2->141 145 13 other signatures 2->145 11 cmd.exe 1 2->11         started        14 wscript.exe 2->14         started        16 wscript.exe 2->16         started        18 11 other processes 2->18 signatures3 143 Uses dynamic DNS services 129->143 process4 signatures5 167 Suspicious powershell command line found 11->167 169 Wscript starts Powershell (via cmd or directly) 11->169 171 Bypasses PowerShell execution policy 11->171 20 cmd.exe 3 11->20         started        23 conhost.exe 11->23         started        173 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->173 175 Suspicious execution chain found 14->175 25 cmd.exe 14->25         started        27 cmd.exe 16->27         started        177 Loading BitLocker PowerShell Module 18->177 29 cmd.exe 18->29         started        31 cmd.exe 18->31         started        33 cmd.exe 18->33         started        35 8 other processes 18->35 process6 signatures7 147 Suspicious powershell command line found 20->147 149 Wscript starts Powershell (via cmd or directly) 20->149 37 powershell.exe 20->37         started        50 2 other processes 20->50 42 cmd.exe 25->42         started        44 conhost.exe 25->44         started        46 cmd.exe 27->46         started        48 conhost.exe 27->48         started        52 2 other processes 29->52 54 2 other processes 31->54 56 2 other processes 33->56 process8 dnsIp9 133 pureeratee.duckdns.org 193.187.91.218, 50787, 54800 OBE-EUROPEObenetworkEuropeSE Sweden 37->133 107 C:\Users\user\...\WindowsUpdate_43.vbs, ASCII 37->107 dropped 109 C:\Users\user\...\WindowsUpdate_43.bat, ASCII 37->109 dropped 151 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 37->151 153 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->153 155 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 37->155 165 3 other signatures 37->165 157 Suspicious powershell command line found 42->157 159 Wscript starts Powershell (via cmd or directly) 42->159 58 powershell.exe 42->58         started        62 powershell.exe 42->62         started        64 conhost.exe 42->64         started        66 powershell.exe 46->66         started        68 2 other processes 46->68 135 0x0.st 168.119.145.117, 443, 49710, 54609 HETZNER-ASDE Germany 50->135 111 C:\Users\user\AppData\...\gp1z14yp.cmdline, Unicode 50->111 dropped 161 Found many strings related to Crypto-Wallets (likely being stolen) 50->161 163 Loading BitLocker PowerShell Module 50->163 70 2 other processes 50->70 72 2 other processes 52->72 74 2 other processes 54->74 76 2 other processes 56->76 file10 signatures11 process12 file13 113 C:\Users\user\...\WindowsUpdate_243.bat, ASCII 58->113 dropped 179 Found many strings related to Crypto-Wallets (likely being stolen) 58->179 181 Creates multiple autostart registry keys 58->181 78 csc.exe 62->78         started        81 cmstp.exe 62->81         started        115 C:\Users\user\...\WindowsUpdate_615.bat, ASCII 66->115 dropped 83 csc.exe 68->83         started        85 cmstp.exe 68->85         started        117 C:\Users\user\AppData\Local\...\gp1z14yp.dll, PE32 70->117 dropped 87 cvtres.exe 1 70->87         started        89 csc.exe 72->89         started        91 cmstp.exe 72->91         started        93 2 other processes 74->93 95 2 other processes 76->95 signatures14 process15 file16 119 C:\Users\user\AppData\Local\...\oeeiqh5p.dll, PE32 78->119 dropped 97 cvtres.exe 78->97         started        121 C:\Users\user\AppData\Local\...\e0dfvvyo.dll, PE32 83->121 dropped 99 cvtres.exe 83->99         started        123 C:\Users\user\AppData\Local\...\kxbokhaq.dll, PE32 89->123 dropped 101 cvtres.exe 89->101         started        125 C:\Users\user\AppData\Local\...\ndg2j51a.dll, PE32 93->125 dropped 103 cvtres.exe 93->103         started        127 C:\Users\user\AppData\Local\...\uslbazo5.dll, PE32 95->127 dropped 105 cvtres.exe 95->105         started        process17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/df22c1bf851be9c64682e7838b6b88358c64a9e3fd6e8ad305f7303d06660323
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df22c1bf851be9c64682e7838b6b88358c64a9e3fd6e8ad305f7303d06660323/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=34rmdp4fdpu4mruc46byw24igwggjkpd7vxivuyf64yd2btgamrq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250130-j29znaxmgp/
Behaviour
Kills process with taskkill
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Adds Run key to start application
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments