MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cad78bf805fd98c24ef029e3a9a8d5bf04d1cf434de6515f459c26ccf564992. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cad78bf805fd98c24ef029e3a9a8d5bf04d1cf434de6515f459c26ccf564992
SHA3-384 hash: e98366e5624ee84774a0bf9ec40615a74a6943ecfa7bf7d120dd36de7c264e15542b9810b89bfb212cf3e90c2525388c
SHA1 hash: 6369bf3d171f0925e06b99481f815f8e76a785fe
MD5 hash: eaa8286643fe21d839a3bbb3abe8ca62
humanhash: paris-carolina-south-failed
File name:64th Services.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:225'216 bytes
First seen:2025-06-27 11:58:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:f8aLABYw+cVvOlEcrK19xJMNexuev693dPVXpNuAjR3ZL9+Z51e/Ws64TdBFc3df:fnL0Yw+cMlEcrIJyDpgsnWiZxdLO
TLSH T1792418868AD48515ED6A0F78A472DE390633BE557C39F20D8DD97CAB3BB33C20425762
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 64b231e4b4acec60 (8 x AsyncRAT)
Reporter burger
Tags:AsyncRAT exe signed

Code Signing Certificate

Organisation:Winamp SA
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-15T00:00:00Z
Valid to:2024-06-12T23:59:59Z
Serial number: 08d4bf5a529c725997e0f6c526495d2f
Intelligence: 45 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: db796af1ce42a1f71907fc7f6c06313f29fda38a2059dadfb09bf21943338286
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
64thServices.exe
Verdict:
Malicious activity
Analysis date:
2025-06-27 11:49:51 UTC
Tags:
github loader confuser
Link:
https://app.any.run/tasks/bb798138-fa5b-4dca-b181-dcaa9deb3645

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11351/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.13640.29938.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685e879f0fceda814b468bdf
Tags:
emotet micro blic sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expired-cert obfuscated signed
Link:
https://www.filescan.io/uploads/685e87a5d1f1eb5d81c870c8/reports/1e5e4c31-c6fb-4d12-839d-1de520fea3e9/overview
Verdict:
Malicious
Labled as:
PowerShell_TrojanDownloader_Agent_MTY
Link:
https://www.hybrid-analysis.com/sample/4cad78bf805fd98c24ef029e3a9a8d5bf04d1cf434de6515f459c26ccf564992
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54c5eb43-3ff5-4770-9486-a31e189abbe6
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1724146
Signature
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1724146 Sample: 64th Services.exe Startdate: 27/06/2025 Architecture: WINDOWS Score: 100 60 raw.githubusercontent.com 2->60 62 prod.keyauth.com 2->62 64 4 other IPs or domains 2->64 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 11 other signatures 2->78 10 64th Services.exe 14 17 2->10         started        15 Microsoft.ServiceHub.Controller.exe 2->15         started        signatures3 process4 dnsIp5 68 github.com 140.82.114.4, 443, 49695 GITHUBUS United States 10->68 70 raw.githubusercontent.com 185.199.110.133, 443, 49696 FASTLYUS Netherlands 10->70 52 C:\Users\user\AppData\Local\...\tmp2B63.exe, PE32+ 10->52 dropped 54 C:\Users\user\...\64th Services.exe.log, CSV 10->54 dropped 90 Loading BitLocker PowerShell Module 10->90 92 Reads the Security eventlog 10->92 94 Reads the System eventlog 10->94 17 tmp2B63.exe 14 9 10->17         started        22 conhost.exe 10->22         started        24 WmiPrvSE.exe 10->24         started        96 Multi AV Scanner detection for dropped file 15->96 98 Queries memory information (via WMI often done to detect virtual machines) 15->98 file6 signatures7 process8 dnsIp9 56 prod.keyauth.com 104.21.16.1, 443, 49702 CLOUDFLARENETUS United States 17->56 58 files.catbox.moe 108.181.20.35, 443, 49698 ASN852CA Canada 17->58 46 C:\...\Microsoft.ServiceHub.Controller.exe, PE32 17->46 dropped 80 Multi AV Scanner detection for dropped file 17->80 82 Found direct / indirect Syscall (likely to bypass EDR) 17->82 26 Microsoft.ServiceHub.Controller.exe 7 17->26         started        file10 signatures11 process12 file13 48 C:\...\Microsoft.ServiceHub.Controller.exe, PE32 26->48 dropped 50 Microsoft.ServiceHub.Controller.exe.log, CSV 26->50 dropped 84 Multi AV Scanner detection for dropped file 26->84 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->86 88 Queries memory information (via WMI often done to detect virtual machines) 26->88 30 cmd.exe 26->30         started        33 cmd.exe 26->33         started        signatures14 process15 signatures16 100 Uses schtasks.exe or at.exe to add and modify task schedules 30->100 35 conhost.exe 30->35         started        37 schtasks.exe 30->37         started        39 Microsoft.ServiceHub.Controller.exe 33->39         started        42 conhost.exe 33->42         started        44 timeout.exe 33->44         started        process17 dnsIp18 66 157.97.11.134, 8080 NOVAIS-ASIS Iceland 39->66
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4cad78bf805fd98c24ef029e3a9a8d5bf04d1cf434de6515f459c26ccf564992
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cad78bf805fd98c24ef029e3a9a8d5bf04d1cf434de6515f459c26ccf564992/
Threat name:
Win32.Backdoor.Asyncrat
Create hunting rule
Status:
Malicious
First seen:
2025-06-27 08:44:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jswxrp4al7myyjhpakpdvgunlpye2hhugtpgkfpulhbgzt2wjgja._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/250627-n5yg9aysez/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
157.97.11.134:8080
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fa589798-2b6b-4911-b560-a1b2779b8349
Unpacked files
SH256 hash:
4cad78bf805fd98c24ef029e3a9a8d5bf04d1cf434de6515f459c26ccf564992
MD5 hash:
eaa8286643fe21d839a3bbb3abe8ca62
SHA1 hash:
6369bf3d171f0925e06b99481f815f8e76a785fe
Link:
https://www.unpac.me/results/1c59f0ed-1146-421e-8a6a-58cd80f72c87/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4cad78bf805f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AsyncRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4cad78bf805fd98c24ef029e3a9a8d5bf04d1cf434de6515f459c26ccf564992

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_MalCert_65514fe0
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

Executable exe 4cad78bf805fd98c24ef029e3a9a8d5bf04d1cf434de6515f459c26ccf564992

(this sample)

AsyncRAT

Executable exe 554164a516f97a316f1fd1506adf6b033ea521df1afefc90b26cccce4dd90844

Cape
Cape
https://www.capesandbox.com/analysis/11351/
  
Dropping
SHA256 554164a516f97a316f1fd1506adf6b033ea521df1afefc90b26cccce4dd90844
  
Dropping
MD5 f3c05933f17af606c170b0d7139cc0cd

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high

Comments