MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4846d770eb82608075d3e2d6c3a6754ae5e086327f5f9ea7ff6435b4b042aad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4846d770eb82608075d3e2d6c3a6754ae5e086327f5f9ea7ff6435b4b042aad
SHA3-384 hash: aa09dc3a8ff24fba3dc1c02b11466af7f6ff25fb5a521c5d7c569eb8eabe4ff7de8b31e16c518cd4c1466cb3a545de07
SHA1 hash: 32264eb4057227a78f91f1aad342cd6fac3533db
MD5 hash: e9c94d33539bfa16bc86d65ac6b49705
humanhash: twelve-connecticut-harry-happy
File name:0..js
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'391'505 bytes
First seen:2025-04-29 09:25:00 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:ereTrRkrQ7eqrRxrQBeTrRkrQ7eqrRxrQrrxrwsrjrrqrwrroBeerSxrL7eer0J/:F+PMD
Threatray 140 similar samples on MalwareBazaar
TLSH T1FF558F6693670C31FCCB6279147C5D640EDE1CE224E7374EEB3A48886E2CA59E367178
Magika javascript
Reporter JAMESWT_WT
Tags:arannsasaaransasaturituri2024-duckdns-org AsyncRAT js

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilJS.NothingFromNothing.20250403.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68109f39c8b2e86d0ac43d8c
Tags:
trojware cryxos shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/68109b0046fe05453ca9c744/reports/daf057d7-8059-419f-8038-e7f8a3c163e2/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/e4846d770eb82608075d3e2d6c3a6754ae5e086327f5f9ea7ff6435b4b042aad
Result
Threat name:
AsyncRAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677155
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677155 Sample: 0..js Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 27 arannsasaaransasaturituri2024.duckdns.org 2->27 29 paste.ee 2->29 31 2 other IPs or domains 2->31 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 49 17 other signatures 2->49 9 wscript.exe 1 1 2->9         started        signatures3 45 Uses dynamic DNS services 27->45 47 Connects to a pastebin service (likely for C&C) 29->47 process4 signatures5 51 JScript performs obfuscated calls to suspicious functions 9->51 53 Suspicious powershell command line found 9->53 55 Wscript starts Powershell (via cmd or directly) 9->55 57 2 other signatures 9->57 12 powershell.exe 15 16 9->12         started        process6 dnsIp7 33 paste.ee 23.186.113.60, 443, 49693 KLAYER-GLOBALNL Reserved 12->33 35 archive.org 207.241.224.2, 443, 49691 INTERNET-ARCHIVEUS United States 12->35 37 ia801700.us.archive.org 207.241.233.30, 443, 49692 INTERNET-ARCHIVEUS United States 12->37 59 Found Tor onion address 12->59 61 Creates autostart registry keys with suspicious values (likely registry only malware) 12->61 63 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->63 65 2 other signatures 12->65 16 jsc.exe 2 12->16         started        19 cmd.exe 1 12->19         started        21 conhost.exe 12->21         started        signatures8 process9 dnsIp10 25 arannsasaaransasaturituri2024.duckdns.org 164.152.167.246, 3009, 49694 MONSANTO-INETUS United States 16->25 23 conhost.exe 19->23         started        process11
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e4846d770eb82608075d3e2d6c3a6754ae5e086327f5f9ea7ff6435b4b042aad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4846d770eb82608075d3e2d6c3a6754ae5e086327f5f9ea7ff6435b4b042aad/
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2025-04-24 01:27:32 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4scg25yoxataqb25hywwyothksxf4cdde727t2t76zbvwsyefkwq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0cb83a22eb4440dd9f04329ecd54615827916b54d0765818c315c3c034183248
AsyncRAT
0e97373d9626a28e247fa42b6735441aa606cdc5b1ef1bf1afdc0966b73bed4f
AsyncRAT
19ba6881b1e82fa63c945ded965dc247f291d64eef58f6814e232f1422a0bb62
AsyncRAT
62c0672bd77beaab3e5546944e23f7db1f66a207d9eecbedcaaebb4bfc47b954
AsyncRAT
652f9425904c1411899bffd5d6396a611b4b74a901e0b3481a808da904c76ccb
AsyncRAT
6744b66a3d8307ce51ec575669dfb2d0f11e00a36bb1e8c930db3a74c0cb4b89
AsyncRAT
85a225ec318849b576b381f4153502bc0466f56ee1afd3ee1953a0f455fd3cf6
AsyncRAT
cae1625466a6a04016312d888281c5aa0a4a75ef23d338f1d68cc15e9774a331
AsyncRAT
error
AsyncRAT
+ 130 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250429-ldrjhszpy5/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4846d770eb82608075d3e2d6c3a6754ae5e086327f5f9ea7ff6435b4b042aad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Java Script (JS) js e4846d770eb82608075d3e2d6c3a6754ae5e086327f5f9ea7ff6435b4b042aad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3530016/
  
Delivery method
Distributed via web download

Comments