MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a388b7a16c200e2bf3894ddcaf7865106f44b8e4799512e3ee1384dba26351f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a388b7a16c200e2bf3894ddcaf7865106f44b8e4799512e3ee1384dba26351f6
SHA3-384 hash: 004d6b30b36c9e9e5b93456bcf5bdd83f1f7de312071e82969b3096099a8a1d43ecabc046203152b87c068c4c362a761
SHA1 hash: 061bc37959d0ac82661cf7c4dcb9c5d9e5ffd447
MD5 hash: 4f39a0a0d306166c3175ed599e0793ec
humanhash: glucose-floor-jig-shade
File name:64th_(Service).exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:12'389'888 bytes
First seen:2025-07-22 19:24:11 UTC
Last seen:2025-07-23 08:27:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b1631af7ca421e7e204ec449ae66226 (8 x AsyncRAT)
ssdeep 196608:9CONHOqR9ily4oLivp1bXxBRViX0SycZactiL0J5p5ZvA2xqZ7XKn1VufOce:jjXiw4oLih1FBRnSyeLHp5ZuH
TLSH T1C3C622D20AE156B0C0D74310618A579E2882E99D42FC6D1E3CD06C926B5DEFF258EFB7
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
55
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
64th_Service.exe
Verdict:
Malicious activity
Analysis date:
2025-07-22 19:18:52 UTC
Tags:
possible-phishing loader confuser
Link:
https://app.any.run/tasks/3673daa3-07f9-44b6-900e-bb4cf1c674d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16396/
Detection(s):
SecuriteInfo.com.Trojan.Siggen31.42002.28810.3716.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687fe41984b37dd61ef0b9f0
Tags:
infosteal phishing rapid
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the system32 directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed vmprotect
Link:
https://www.filescan.io/uploads/687fe55f8a7d628a81bd5b41/reports/18bc2fef-b8b8-442f-8604-1b765f00d4a4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a388b7a16c200e2bf3894ddcaf7865106f44b8e4799512e3ee1384dba26351f6
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5cb3e692-3f0d-4d01-a86c-4bf41d99d96d
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1742282
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1742282 Sample: 64th_(Service).exe Startdate: 22/07/2025 Architecture: WINDOWS Score: 100 27 v3-euw.cluster.rel.tunnels.api.visualstudio.com 2->27 29 tunnels-prod-rel-euw-v3-cluster.westeurope.cloudapp.azure.com 2->29 31 4 other IPs or domains 2->31 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 PE file contains section with special chars 2->43 45 3 other signatures 2->45 8 64th_(Service).exe 9 2->8         started        signatures3 process4 dnsIp5 33 candid-shortbread-420b64.netlify.app 98.84.224.111, 443, 49690 TWC-11351-NORTHEASTUS United States 8->33 25 C:\Windows\System32\wvvtipou.exe, PE32+ 8->25 dropped 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->47 49 Suspicious powershell command line found 8->49 51 Drops executables to the windows directory (C:\Windows) and starts them 8->51 53 2 other signatures 8->53 13 wvvtipou.exe 14 8 8->13         started        17 powershell.exe 23 8->17         started        19 conhost.exe 8->19         started        file6 signatures7 process8 dnsIp9 35 tunnels-prod-rel-euw-v3-cluster.westeurope.cloudapp.azure.com 20.103.221.187, 443, 49691 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->35 37 prod.keyauth.com 104.21.16.1, 443, 49693 CLOUDFLARENETUS United States 13->37 55 Multi AV Scanner detection for dropped file 13->55 57 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->57 59 Found direct / indirect Syscall (likely to bypass EDR) 13->59 61 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->61 63 Loading BitLocker PowerShell Module 17->63 21 conhost.exe 17->21         started        23 WmiPrvSE.exe 17->23         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a388b7a16c200e2bf3894ddcaf7865106f44b8e4799512e3ee1384dba26351f6
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/4f39a0a0d306166c3175ed599e0793ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a388b7a16c200e2bf3894ddcaf7865106f44b8e4799512e3ee1384dba26351f6/
Verdict:
Malicious
Threat:
Win64.Malware.Heuristic
Link:
https://tip.neiki.dev/file/a388b7a16c200e2bf3894ddcaf7865106f44b8e4799512e3ee1384dba26351f6
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uoelpilmeahcx44jjxok66dfcbxujohepgkrfy7ococnxitdkh3a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250722-x4fqgsznx7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
ConfuserEx .NET packer
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Tags:
Phishing
YARA:
n/a
Link:
https://app.threat.zone/submission/03d8584f-dcf6-47fb-85e9-d2b108b18615
Unpacked files
SH256 hash:
a388b7a16c200e2bf3894ddcaf7865106f44b8e4799512e3ee1384dba26351f6
MD5 hash:
4f39a0a0d306166c3175ed599e0793ec
SHA1 hash:
061bc37959d0ac82661cf7c4dcb9c5d9e5ffd447
Link:
https://www.unpac.me/results/688ffc4c-a537-4c68-aba1-a716a1027d46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/a388b7a16c200e2bf3894ddcaf7865106f44b8e4799512e3ee1384dba26351f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe a388b7a16c200e2bf3894ddcaf7865106f44b8e4799512e3ee1384dba26351f6

(this sample)

Executable exe e82c9e1d76e12b280f69a471e33a95c9a4f3b2b6babd9e7287242b86fc67ea5e

Cape
Cape
https://www.capesandbox.com/analysis/16396/
  
Dropping
SHA256 e82c9e1d76e12b280f69a471e33a95c9a4f3b2b6babd9e7287242b86fc67ea5e
  
Dropping
MD5 449a82c89b39f684ddaabb534f6e0c4c
  
Dropping
SHA256 e34e0646332bb763ba3b6d850a329a2292130847e25ff85352f4d5d59296648f
  
Dropping
MD5 f747ae721dcdcbf06aedaa75a896563e
  
URLhaus
https://urlhaus.abuse.ch/url/3588301/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsWININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleScreenBufferSize

Comments