MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff86cfa16fa08fb0b9f4f19b755f726832f39dc5b284e3978cf8f20535511485. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff86cfa16fa08fb0b9f4f19b755f726832f39dc5b284e3978cf8f20535511485
SHA3-384 hash: 992eea0d85bc17612c873e252906db4c75b1bb5ef12f8ab2175ebbfe79d77a00f44d3dbc0ef1cd12fd49d50bfd6f3f8d
SHA1 hash: 3df952f0f0a6d7c5717c8d7742377a30b42563fd
MD5 hash: 6cb1a36ce09c3f944e919fdfb801723a
humanhash: uniform-blossom-tennessee-lamp
File name:Document4443-2525-2462.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:3'886 bytes
First seen:2022-11-21 09:09:47 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 96:rD+DaDOD/DMDaDSDrDaD5XDkDPDZDxUVDMDFDADatDXDADmCDADEwDT4+K:rymy7gmunmFITt+VohUetzU6CUBY+K
Threatray 3'278 similar samples on MalwareBazaar
TLSH T126815A3719C182ED1BAB8D322E171F6C118D2612E80DEFF95CBC0564DAD7E1BB48664C
Reporter abuse_ch
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
Document4443-2525-2462.bat
Verdict:
Malicious activity
Analysis date:
2022-11-21 09:25:06 UTC
Tags:
opendir asyncrat trojan rat
Link:
https://app.any.run/tasks/46e3d1d4-23e4-4438-9fe5-9244193d4db7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336651/
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/637b4070731e6890eeaccab9/reports/9f6f0151-cc14-4385-9a2a-85373f8d717b/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1117960
Signature
Bypasses PowerShell execution policy
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Tries to open files direct via NTFS file id
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 750671 Sample: Document4443-2525-2462.bat Startdate: 21/11/2022 Architecture: WINDOWS Score: 76 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Powershell Download and Execute IEX 2->56 58 Uses known network protocols on non-standard ports 2->58 10 cmd.exe 1 2->10         started        13 wscript.exe 1 2->13         started        15 wscript.exe 2->15         started        process3 signatures4 64 Wscript starts Powershell (via cmd or directly) 10->64 17 cmd.exe 1 10->17         started        20 conhost.exe 10->20         started        22 powershell.exe 11 13->22         started        24 powershell.exe 15->24         started        process5 signatures6 52 Wscript starts Powershell (via cmd or directly) 17->52 26 powershell.exe 17 24 17->26         started        31 conhost.exe 22->31         started        33 conhost.exe 24->33         started        process7 dnsIp8 50 147.124.210.143, 222, 49699 AC-AS-1US United States 26->50 46 C:\ProgramData\png\install, ASCII 26->46 dropped 48 C:\ProgramData\png\Report, ASCII 26->48 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 26->66 68 Tries to open files direct via NTFS file id 26->68 35 wscript.exe 1 26->35         started        file9 signatures10 process11 signatures12 60 Wscript starts Powershell (via cmd or directly) 35->60 62 Bypasses PowerShell execution policy 35->62 38 powershell.exe 10 35->38         started        process13 process14 40 conhost.exe 38->40         started        42 schtasks.exe 1 38->42         started        44 schtasks.exe 1 38->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff86cfa16fa08fb0b9f4f19b755f726832f39dc5b284e3978cf8f20535511485/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=76dm7ilpuch3bopu6gnxkx3snazphhofwkcohf4m7dzaknkrcscq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0671d1cf46c957d8ca3084d500f4ccb2e71f5f687868cb5f113127e560422e76
AsyncRAT
1eb738be8b7b77e57127ff63182b375aafd1b2e1c64d7518b35465fb81192ac8
AsyncRAT
6b1263d2d5fecfbd34926b6649b01b0187c6790b8676fb0a43e7919cf175b5c2
AsyncRAT
b50f7c365160c6134ce71e97e646d8245761687aa431a31a12423daf6cf33012
AsyncRAT
e8dd6ca9125d656f8243da0a8224948b838a87c2200c247ea5e3b28ede034488
AsyncRAT
ed7156a259cecc750c121faed21545185d9436de677556ef9e271e519073fb34
AsyncRAT
+ 3'268 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221121-k42xhacf29/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Blocklisted process makes network request
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff86cfa16fa0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff86cfa16fa08fb0b9f4f19b755f726832f39dc5b284e3978cf8f20535511485

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/336651/

Comments