MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3
SHA3-384 hash: 69cca4f8e8cf1667eb61e77a9c1a775a94de42537cc12fd31abf285ab6fac653dc9962012db4ed8be2ed80db3f5801ec
SHA1 hash: ca8a7d01e10921acf7395e17a785769ebbad98df
MD5 hash: afd3353ec2e90706310170540f465c93
humanhash: butter-early-spring-twelve
File name:BJPJGBFB.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:9'198'648 bytes
First seen:2025-05-21 10:59:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 196608:+pb8WrlkTzap5BPalg6AOW4ob3p+dwWnwBmYaTWMnT:+pbrreOXPazAOW5+mMYaKG
Threatray 181 similar samples on MalwareBazaar
TLSH T14D963341778179F4DA6246769F6FC382A2FBC3187811EC8BAA767F520C931C8074B9D6
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter JAMESWT_WT
Tags:AsyncRAT cachepeak-cfd exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
483
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BJPJGBFB.exe
Verdict:
Malicious activity
Analysis date:
2025-05-21 11:01:29 UTC
Tags:
hijackloader loader
Link:
https://app.any.run/tasks/529446d3-673b-4c08-955e-7bcb64117972

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682db264c28c67d66643814a
Tags:
vmdetect autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer microsoft_visual_cc overlay overlay packed packer_detected
Link:
https://www.filescan.io/uploads/682db264c609634bd7cd8b03/reports/28f6bf5b-07d8-43ff-9edd-2e11e7690cfb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4943099b-64ce-4060-bda8-13bf9e4318ca
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1695790
Signature
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695790 Sample: BJPJGBFB.exe Startdate: 21/05/2025 Architecture: WINDOWS Score: 80 48 unositescdn.buzz 2->48 60 Suricata IDS alerts for network traffic 2->60 62 Multi AV Scanner detection for submitted file 2->62 9 BJPJGBFB.exe 9 2->9         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\VectBl.exe, PE32 9->32 dropped 34 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 9->36 dropped 38 2 other files (none is malicious) 9->38 dropped 12 VectBl.exe 8 9->12         started        process6 file7 40 C:\ProgramData\patchwizard_x86\VectBl.exe, PE32 12->40 dropped 42 C:\ProgramData\...\vcruntime140.dll, PE32 12->42 dropped 44 C:\ProgramData\patchwizard_x86\msvcp140.dll, PE32 12->44 dropped 46 2 other files (none is malicious) 12->46 dropped 68 Binary is likely a compiled AutoIt script file 12->68 70 Switches to a custom stack to bypass stack traces 12->70 72 Found direct / indirect Syscall (likely to bypass EDR) 12->72 16 VectBl.exe 6 12->16         started        signatures8 process9 file10 26 C:\ProgramData\RaServer.exe, PE32+ 16->26 dropped 28 C:\Users\user\AppData\Roaming\...\7za.exe, PE32+ 16->28 dropped 30 C:\Users\user\AppData\Local\...20DF8D.tmp, PE32+ 16->30 dropped 52 Binary is likely a compiled AutoIt script file 16->52 54 Modifies the context of a thread in another process (thread injection) 16->54 56 Found hidden mapped module (file has been removed from disk) 16->56 58 3 other signatures 16->58 20 RaServer.exe 2 16->20         started        24 7za.exe 16->24         started        signatures11 process12 dnsIp13 50 unositescdn.buzz 172.67.206.69, 49721, 80 CLOUDFLARENETUS United States 20->50 64 Binary is likely a compiled AutoIt script file 20->64 66 Found direct / indirect Syscall (likely to bypass EDR) 20->66 signatures14
Score:
80%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-20 05:09:56 UTC
File Type:
PE (Exe)
Extracted files:
1630
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdgww2ftcksmm2lh3kk4pq7zrkzmj5pmy57lfnqjm5mrdd3mytrq._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
002c9d6070fe8ba48e26cde3161c24c745534b732e4b2748c8198d65b3da1aa4
AsyncRAT
19f6b0cbf4d58ca4c4dda40eb41107ad5bdf05fb914dd3c5fdb101dbde4532e8
AsyncRAT
8419a4f16ab7b36d22e0292825ff441e5a27b51ac2fc4dea99d96e26858de310
AsyncRAT
a5c2cd0db95e87a627f59f7c0b66753969a6a036744e21e437ead5074b9a30a3
AsyncRAT
a5e0756405dea5b805018097497b69a945289cda1c57f1577f1da2706c7b52bb
AsyncRAT
b8dfa80c6a22b7168b3b6738295a472c1f8d96c932062c72a53062b04de909ea
AsyncRAT
c914d5fdf19e28d07cb1ddae7b5f03574a4e6eea45875602b6c7aaca81d45611
AsyncRAT
d933e301cf2ccd346117f1016ea6fcf491486403966ad39220cff9f847714e38
AsyncRAT
d93af51ed0b419e34da902a27bbcad50288cc80746d35a32ceac161cfa9d0858
AsyncRAT
dbb8323b67e456a39df69d6de430c66654f6ca05fd104afb70be3a46def254de
AsyncRAT
error
AsyncRAT
+ 171 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250521-m4at5aam31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/086037fd-fce1-4b53-aa5a-c36fbee0dee9
Unpacked files
SH256 hash:
10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3
MD5 hash:
afd3353ec2e90706310170540f465c93
SHA1 hash:
ca8a7d01e10921acf7395e17a785769ebbad98df
Link:
https://www.unpac.me/results/f622e612-69b7-48d3-a98f-d43df857538a/
SH256 hash:
626d31183b02c32305786c2c772de91fb534f568f13d3c960cb4c8dc14c63aa0
MD5 hash:
c7183dad0e48f27877fe050e693f31c5
SHA1 hash:
78e8821ab6e86773af587e591c470f9de40b7454
Link:
https://www.unpac.me/results/f622e612-69b7-48d3-a98f-d43df857538a/
SH256 hash:
9d8baf7a685c8c42be3ef28fcb91eca7c853ba6d368b9856ad21f573dc4c463d
MD5 hash:
5e79f623e2b098ff54b9c7a0d7bf96aa
SHA1 hash:
e0ca2a691e23a519ef6e27e4643324dfa02ece1f
Link:
https://www.unpac.me/results/f622e612-69b7-48d3-a98f-d43df857538a/
SH256 hash:
a07fd07b9e103ca952500a398868287acb29a387f920f85f4cc885c90e4cac67
MD5 hash:
0f8b01ad08d60373326b9ca09ffad516
SHA1 hash:
e2c405759aa06f5a216d698fa9bd049eb1e97f17
Link:
https://www.unpac.me/results/f622e612-69b7-48d3-a98f-d43df857538a/
SH256 hash:
2fdc0cf8917014841661c78a31094bb11319462d6a313d8b3751da2c41baf13a
MD5 hash:
12d63edf20bb7a3320ce1eb24dcbb881
SHA1 hash:
f255825247f7d81a270f4eef61b83f434c69dd44
Link:
https://www.unpac.me/results/f622e612-69b7-48d3-a98f-d43df857538a/
SH256 hash:
edfab4db24d4ea4db3e774272e7da99b42b04a7b0416f9e8fe389efe7c7c2c6b
MD5 hash:
70ed12d821b225cdc2572ddc0d8b67af
SHA1 hash:
f5853dc1b88821ea65960a3744fccd25c901b366
Link:
https://www.unpac.me/results/f622e612-69b7-48d3-a98f-d43df857538a/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/f622e612-69b7-48d3-a98f-d43df857538a/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/f622e612-69b7-48d3-a98f-d43df857538a/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10cd6b68b312/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:sus_pe_free_without_allocation
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3548888/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments