MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e86017b846165690bcaf38242e09df96651aec60e9c2dae4bf50de8ace77f029. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e86017b846165690bcaf38242e09df96651aec60e9c2dae4bf50de8ace77f029
SHA3-384 hash: ee6c67da60bc11b188cb71b08ffee38a6f38b3879bbdee0e27f6304c952ea2c6a9442a7807166686f8dbb58a54e7e4db
SHA1 hash: 43e75344d3946d7ea60ae243a5c28146931cac6c
MD5 hash: a2102b6bfb32fa339adaa869026518a7
humanhash: pluto-idaho-undress-tennessee
File name:INVOICE#BUSAPOMKDS03.lnk
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'849 bytes
First seen:2024-03-22 07:22:09 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 48:8GKJoWcufNXZd5t5aIXjJ2JXjJ2Keh4UWJBE2Fe7:8vocd5t5a6JCzJneOUCBE8e7
TLSH T19431E9067BFA4720F6F30B7068F693A18EB2706BAA42D72E4045014E16A1E14A868F77
Reporter abuse_ch
Tags:AsyncRAT lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/e86017b846165690bcaf38242e09df96651aec60e9c2dae4bf50de8ace77f029/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd lolbin masquerade
Link:
https://www.filescan.io/uploads/65fd31db757c624818b5f2b6/reports/13791ae1-64ad-4939-928a-a9422f1d66f0/overview
Verdict:
Suspicious
Labled as:
LNK/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/e86017b846165690bcaf38242e09df96651aec60e9c2dae4bf50de8ace77f029
Result
Threat name:
AsyncRAT, Metasploit, VenomRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1413891
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Connects to many ports of the same IP (likely port scanning)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Found URL in windows shortcut file (LNK)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Opens network shares
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Copy file to startup via Powershell
Sigma detected: Drops script at startup location
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected MetasploitPayload
Yara detected Powershell download and execute
Yara detected VenomRAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1413891 Sample: INVOICE#BUSAPOMKDS03.lnk Startdate: 22/03/2024 Architecture: WINDOWS Score: 100 132 vbdsg.duckdns.org 2->132 134 kdfsv.duckdns.org 2->134 136 4 other IPs or domains 2->136 180 Snort IDS alert for network traffic 2->180 182 Multi AV Scanner detection for domain / URL 2->182 184 Found malware configuration 2->184 188 24 other signatures 2->188 12 cmd.exe 3 25 2->12         started        16 cmd.exe 2->16         started        signatures3 186 Uses dynamic DNS services 134->186 process4 file5 118 C:\Users\user\Pictures\windows.vbs, ASCII 12->118 dropped 120 C:\Users\user\Pictures\upload.vbs, ASCII 12->120 dropped 122 C:\Users\user\Pictures\update.vbs, ASCII 12->122 dropped 124 4 other malicious files 12->124 dropped 214 Windows shortcut file (LNK) starts blacklisted processes 12->214 216 Wscript starts Powershell (via cmd or directly) 12->216 218 Obfuscated command line found 12->218 220 4 other signatures 12->220 18 wscript.exe 1 12->18         started        21 wscript.exe 1 12->21         started        23 wscript.exe 12->23         started        29 10 other processes 12->29 25 cmd.exe 16->25         started        27 conhost.exe 16->27         started        signatures6 process7 dnsIp8 162 Suspicious powershell command line found 18->162 164 Very long command line found 18->164 166 Bypasses PowerShell execution policy 18->166 168 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->168 32 powershell.exe 7 18->32         started        35 powershell.exe 7 21->35         started        37 powershell.exe 23->37         started        170 Windows shortcut file (LNK) starts blacklisted processes 25->170 172 Wscript starts Powershell (via cmd or directly) 25->172 174 Opens network shares 25->174 39 wscript.exe 25->39         started        41 wscript.exe 25->41         started        43 wscript.exe 25->43         started        47 9 other processes 25->47 140 192.168.2.9, 443, 49704, 49706 unknown unknown 29->140 142 192.168.2.16 unknown unknown 29->142 144 239.255.255.250 unknown Reserved 29->144 176 Obfuscated command line found 29->176 178 Suspicious execution chain found 29->178 45 powershell.exe 29->45         started        49 13 other processes 29->49 signatures9 process10 dnsIp11 148 Suspicious execution chain found 32->148 150 Found suspicious powershell code related to unpacking or dynamic code loading 32->150 59 2 other processes 32->59 62 2 other processes 35->62 64 2 other processes 37->64 152 Windows shortcut file (LNK) starts blacklisted processes 39->152 154 Suspicious powershell command line found 39->154 156 Wscript starts Powershell (via cmd or directly) 39->156 52 powershell.exe 39->52         started        158 Very long command line found 41->158 55 powershell.exe 41->55         started        57 powershell.exe 43->57         started        66 2 other processes 45->66 68 13 other processes 47->68 126 www.sbmxl.org 49->126 128 www.google.com 142.250.176.196, 443, 49729 GOOGLEUS United States 49->128 130 sbmxl.org 198.46.140.74, 443, 49721, 49722 AS-COLOCROSSINGUS United States 49->130 160 Obfuscated command line found 49->160 70 16 other processes 49->70 signatures12 process13 dnsIp14 190 Windows shortcut file (LNK) starts blacklisted processes 52->190 192 Suspicious powershell command line found 52->192 72 2 other processes 52->72 75 2 other processes 55->75 77 2 other processes 57->77 138 nanoshield.pro 104.21.37.30, 443, 49734, 49738 CLOUDFLARENETUS United States 59->138 79 2 other processes 59->79 82 2 other processes 62->82 84 2 other processes 64->84 194 Writes to foreign memory regions 66->194 196 Injects a PE file into a foreign processes 66->196 86 2 other processes 66->86 198 Wscript starts Powershell (via cmd or directly) 68->198 200 Obfuscated command line found 68->200 202 Very long command line found 68->202 88 18 other processes 68->88 90 4 other processes 70->90 signatures15 process16 dnsIp17 92 powershell.exe 72->92         started        94 RegAsm.exe 72->94         started        104 2 other processes 75->104 204 Injects a PE file into a foreign processes 77->204 106 2 other processes 77->106 146 vbdsg.duckdns.org 154.30.255.175, 49750, 49752, 49754 KVCNET-2009US United States 79->146 96 conhost.exe 79->96         started        206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 82->206 98 conhost.exe 82->98         started        100 conhost.exe 84->100         started        102 conhost.exe 86->102         started        208 Windows shortcut file (LNK) starts blacklisted processes 88->208 210 Suspicious powershell command line found 88->210 212 Writes to foreign memory regions 88->212 108 6 other processes 88->108 signatures18 process19 process20 110 conhost.exe 92->110         started        112 conhost.exe 104->112         started        114 conhost.exe 106->114         started        116 conhost.exe 108->116         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e86017b846165690bcaf38242e09df96651aec60e9c2dae4bf50de8ace77f029/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bqbpocgczljbpfphasc4co7szsrv3da5hbnvzf7kdpivttx6auq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240322-h7s3nahh62/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e86017b846165690bcaf38242e09df96651aec60e9c2dae4bf50de8ace77f029

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Shortcut (lnk) lnk e86017b846165690bcaf38242e09df96651aec60e9c2dae4bf50de8ace77f029

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments