MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb30ab0173d9def4895227fbc1f82c21bbd7af6209d268a483c57e5ee04926b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb30ab0173d9def4895227fbc1f82c21bbd7af6209d268a483c57e5ee04926b3
SHA3-384 hash: e17c53a0fadeff01a003df121afd75242f498a0be2e55cdfdf9caeda0e1479b7cef3054f66a2c40937ab104aeecff5bb
SHA1 hash: f1c8e44dc4b7bd14996cfb85a52f5824ce239528
MD5 hash: 83b2679df9dc5acada83e0de6f916530
humanhash: washington-diet-queen-harry
File name:Invoices_391.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:7'753 bytes
First seen:2021-09-28 05:56:24 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:PnNTJhS9INIKMVGQRX8+HLz9spiINIVIWjnCQRX8Lnaa:PnNT2INIRRX8+Hm4INIVI8xRXAx
Threatray 1'501 similar samples on MalwareBazaar
TLSH T1C2F1103CE60376DE741D5E2D09CB77295A10C0B5C953E6F9C740FAAC69EEB40AB51238
Reporter abuse_ch
Tags:AsyncRAT RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192340/
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.5344.30447.26904.UNOFFICIAL
Create hunting rule

Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/859519
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sigma detected: CrackMapExec PowerShell Obfuscation
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb30ab0173d9def4895227fbc1f82c21bbd7af6209d268a483c57e5ee04926b3/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 05:57:10 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mykwalt3hppjckse754d6bmeg55pl3cbhjgrjedyv7f5ycje2zq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0741c36ad10f51f858eefc2e2f0879c9ef1ae90af61d766bd50ebcc67f4d5579
AsyncRAT
12f2e964639c39076f29196264c1dcbd3792eaaaa77aca14986a802a122b341b
AsyncRAT
486b4fcc5a6e4f4e949aa11aa3f2e9d8d2075ac8445617af8c41ab214f6dbfa0
AsyncRAT
51e6527daa5a10028c434c7ceaed1570ddd95e1de0eafa702f77860cec3d0b7c
AsyncRAT
70c61a7220e7df5841fded5bafa8340c388440911f8c894b35872188f300f29d
AsyncRAT
766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e
AsyncRAT
831d7b676bb75c44df50f40798fe739cb07d4c0b1ee217a7e8fea443f7b00346
AsyncRAT
ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42
AsyncRAT
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
AsyncRAT
+ 1'491 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210928-gnlzkaagbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Async RAT payload
AsyncRat
Malware Config
Dropper Extraction:
http://13.78.207.84/bodyONME.txt
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/eb30ab0173d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb30ab0173d9def4895227fbc1f82c21bbd7af6209d268a483c57e5ee04926b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Visual Basic Script (vbs) vbs eb30ab0173d9def4895227fbc1f82c21bbd7af6209d268a483c57e5ee04926b3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/192340/

Comments