MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1a126ea617a045454badfb230b3bc86ee5c1ad5698c1285472f71fc8497cbfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1a126ea617a045454badfb230b3bc86ee5c1ad5698c1285472f71fc8497cbfc
SHA3-384 hash: eba1575b8aefdae2b57e1f3d80cd7db65d46e886fc38a94cf1ab8cfb0b935136952084e21fc7ab64853071f1449910b6
SHA1 hash: 6a240f93656757c78537605f55690248db9117dd
MD5 hash: e08706212a60d07fe1004e36519eaae2
humanhash: sweet-edward-avocado-september
File name:ABJ.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:50'622 bytes
First seen:2023-01-17 06:53:33 UTC
Last seen:2023-01-17 10:41:59 UTC
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:ntXaPUY6USCuhyoQp9ud+w5BNb2mRtONmxS:VasY2QoQGo4Nbbtqm4
Threatray 2'908 similar samples on MalwareBazaar
TLSH T19233D02A2B4B3A0C85B5DFD326F93944E51EDCB2BA55C0CEE0C914DD709762DBB91348
Reporter ankit_anubhav
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
TH TH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ABJ.bat
Verdict:
Malicious activity
Analysis date:
2023-01-17 06:54:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/90bfd3e0-97c3-47da-afbd-e6bb120ea05f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353682/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
50%
Link:
https://www.filescan.io/uploads/63c6460cbda854045c18e2dd/reports/9858c79a-3874-44b0-a196-bd89f92c61dd/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos, AsyncRAT, DBatLoader, NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152826
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Renames powershell.exe to bypass HIPS
Sigma detected: Remcos
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected DBatLoader
Yara detected NetWire RAT
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 785558 Sample: ABJ.bat Startdate: 17/01/2023 Architecture: WINDOWS Score: 100 121 stopeet.camdvr.org 2->121 123 prosir.casacam.net 2->123 125 4 other IPs or domains 2->125 161 Snort IDS alert for network traffic 2->161 163 Multi AV Scanner detection for domain / URL 2->163 165 Malicious sample detected (through community Yara rule) 2->165 167 9 other signatures 2->167 15 cmd.exe 2 2->15         started        19 Gionplpi.exe 2->19         started        22 Gionplpi.exe 2->22         started        signatures3 process4 dnsIp5 113 C:\Users\user\Desktop\ABJ.bat.exe, PE32+ 15->113 dropped 151 Suspicious powershell command line found 15->151 153 Bypasses PowerShell execution policy 15->153 155 Adds a directory exclusion to Windows Defender 15->155 157 Renames powershell.exe to bypass HIPS 15->157 24 ABJ.bat.exe 1 20 15->24         started        28 conhost.exe 15->28         started        127 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49714 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->127 129 uoajyw.am.files.1drv.com 19->129 131 3 other IPs or domains 19->131 30 iexpress.exe 19->30         started        file6 signatures7 process8 dnsIp9 145 amalar.camdvr.org 45.133.174.122, 2404, 4782, 49699 ASBLANKPROXIESGB United Kingdom 24->145 147 192.168.2.3, 138, 2404, 443 unknown unknown 24->147 103 C:\Users\user\AppData\Local\Temp\tcvkee.exe, PE32 24->103 dropped 105 C:\Users\user\AppData\Local\Temp\fhyjyc.exe, PE32 24->105 dropped 107 C:\Users\user\AppData\Local\Temp\qncjsa.bat, DOS 24->107 dropped 32 cmd.exe 1 24->32         started        35 cmd.exe 1 24->35         started        37 cmd.exe 1 24->37         started        file10 process11 signatures12 159 Suspicious powershell command line found 32->159 39 powershell.exe 10 32->39         started        41 conhost.exe 32->41         started        43 powershell.exe 10 35->43         started        45 conhost.exe 35->45         started        47 powershell.exe 10 37->47         started        49 conhost.exe 37->49         started        process13 process14 51 fhyjyc.exe 1 20 39->51         started        56 tcvkee.exe 1 16 43->56         started        58 cmd.exe 47->58         started        dnsIp15 133 uoajyw.am.files.1drv.com 51->133 135 onedrive.live.com 51->135 137 am-files.fe.1drv.com 51->137 95 C:\Users\Public\Libraries\netutils.dll, PE32+ 51->95 dropped 97 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 51->97 dropped 99 C:\Users\Public\Librariesbehaviorgraphionplpi.exe, PE32 51->99 dropped 173 Creates multiple autostart registry keys 51->173 175 Writes to foreign memory regions 51->175 177 Allocates memory in foreign processes 51->177 60 cmd.exe 51->60         started        63 colorcpl.exe 51->63         started        139 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49706, 49717 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 56->139 141 uocppw.am.files.1drv.com 56->141 143 2 other IPs or domains 56->143 101 C:\Users\Public\Libraries\Actyrbxz.exe, PE32 56->101 dropped 179 Creates a thread in another existing process (thread injection) 56->179 181 Injects a PE file into a foreign processes 56->181 65 iexpress.exe 56->65         started        69 conhost.exe 58->69         started        file16 signatures17 process18 dnsIp19 185 Uses ping.exe to sleep 60->185 187 Drops executables to the windows directory (C:\Windows) and starts them 60->187 189 Uses ping.exe to check the status of other devices and networks 60->189 71 easinvoker.exe 60->71         started        73 PING.EXE 60->73         started        76 xcopy.exe 60->76         started        81 6 other processes 60->81 191 DLL side loading technique detected 63->191 79 WerFault.exe 63->79         started        115 stopeet.camdvr.org 65->115 117 prosir.casacam.net 65->117 119 amalar.camdvr.org 65->119 93 C:\Users\user\AppData\Roaming\...\logs.dat, data 65->93 dropped file20 signatures21 process22 dnsIp23 83 cmd.exe 71->83         started        149 127.0.0.1 unknown unknown 73->149 109 C:\Windows \System32\easinvoker.exe, PE32+ 76->109 dropped 111 C:\Windows \System32\netutils.dll, PE32+ 81->111 dropped file24 process25 signatures26 169 Suspicious powershell command line found 83->169 171 Adds a directory exclusion to Windows Defender 83->171 86 powershell.exe 83->86         started        89 conhost.exe 83->89         started        process27 signatures28 183 DLL side loading technique detected 86->183 91 conhost.exe 86->91         started        process29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1a126ea617a045454badfb230b3bc86ee5c1ad5698c1285472f71fc8497cbfc/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 06:54:07 UTC
File Type:
Text (Batch)
AV detection:
5 of 26 (19.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gqsn2tbpicfivf236zdbm54q3xfygwvnggbfbkhf5y7zbexzp6a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
1166e3200fd3a2a7e448f8129fbebdd7266a85393e8d6596ee6f89653adba1d0
AsyncRAT
2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a
AsyncRAT
373834225a126abde8256049e073b8e07bd06c7563f929783f441a1a63a88d1b
AsyncRAT
879f167f0686e52e10a87cfd1d7c7cac92e8cf10d3481f27d82dc4b4b0b0d1ae
AsyncRAT
a0ee5991a87a49c2a3d877f34ae33b27a95c88c1e95eb13f0cc1658adc815b6a
AsyncRAT
a44e7420e441548adddf0d79cc51e46211ebfa7dde08e5c95211eb3f95d0e570
AsyncRAT
c9abeb237b284d2aee39f0c69a1042aa3dbe285aa528f23ffdaed82a0a08a229
AsyncRAT
ce44ab513606e6ba64fee7a9f5d5cd236b57dc856374578dca043d84e00d8541
AsyncRAT
d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e
AsyncRAT
+ 2'898 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/230117-hn73gabg36/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
AsyncRat
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1a126ea617a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1a126ea617a045454badfb230b3bc86ee5c1ad5698c1285472f71fc8497cbfc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353682/

Comments