MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a91f68ecb550085680a192445ad710d8a73ceb4c1cf884ac81277993098f626. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a91f68ecb550085680a192445ad710d8a73ceb4c1cf884ac81277993098f626
SHA3-384 hash: be09a49888c80d6c4765588a2e107886d89433c816393f47e989d7bd9cde3a572281cac4ab103ef993597d023e76cc09
SHA1 hash: 9f1a0259e653c9d956b809ba20ba4b9471d73575
MD5 hash: 8241a31bacf400b80f22a535838aeda2
humanhash: table-snake-freddie-four
File name:ClivetVpn.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'453 bytes
First seen:2025-11-05 08:01:34 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 48:P4DY777x/CoxSteiu5gXdm4joLld1I6mdXD43jtAtktK5g:P4D8Steiu5gXgXLoN6eyJ
Threatray 1'924 similar samples on MalwareBazaar
TLSH T163511E39B2D75B1002A01D61A435DC5223E5D5CBCEB9186BF4E682C70EB8308CFA0DE1
Magika batch
Reporter smica83
Tags:172-31-37-118--2000 AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
ClivetVpn.bat
Verdict:
Malicious activity
Analysis date:
2025-11-05 08:02:41 UTC
Tags:
github auto-reg asyncrat
Link:
https://app.any.run/tasks/eef2c622-ff65-49b6-ad05-13554493f871

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35401/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690b049d706befaf4ecbd073
Tags:
autorun dropper shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a file in the %temp% directory
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Launching a file downloaded from the Internet
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
certutil certutil evasive lolbin obfuscated timeout
Link:
https://www.filescan.io/uploads/690b04a34425b0b1fd156596/reports/bb1996c6-7723-4493-b005-108cb3717193/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2a91f68ecb550085680a192445ad710d8a73ceb4c1cf884ac81277993098f626
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-05T05:18:00Z UTC
Last seen:
2025-11-06T11:58:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.MSIL.Agent.gen HEUR:Backdoor.MSIL.SheetRat.gen Backdoor.MSIL.VenomRAT.a HEUR:Trojan-Spy.MSIL.KeyLogger.gen PDM:Trojan.Win32.Tasker.cust Backdoor.MSIL.Darkrat.sb Backdoor.MSIL.Crysan.sb HEUR:Trojan.BAT.Alien.gen PDM:Trojan.Win32.Generic Trojan.MSIL.DInvoke.sb Trojan-Dropper.Win32.Agent.sb Trojan.VBS.Runner.sb HEUR:Trojan-PSW.MSIL.Agent.gen Trojan-Downloader.PowerShell.Agent.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/2a91f68ecb550085680a192445ad710d8a73ceb4c1cf884ac81277993098f626/results?tab=lookup
Result
Threat name:
Dacic, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1808371
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Dacic
Yara detected Powershell download and execute
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1808371 Sample: ClivetVpn.bat Startdate: 05/11/2025 Architecture: WINDOWS Score: 100 57 release-assets.githubusercontent.com 2->57 59 github.com 2->59 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Sigma detected: Powershell download and execute file 2->71 73 13 other signatures 2->73 10 cmd.exe 2 2->10         started        13 HitsBat.exe 2 2->13         started        signatures3 process4 dnsIp5 75 Suspicious powershell command line found 10->75 77 Tries to download and execute files (via powershell) 10->77 79 Bypasses PowerShell execution policy 10->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 10->81 16 powershell.exe 14 17 10->16         started        21 certutil.exe 3 2 10->21         started        23 conhost.exe 10->23         started        25 2 other processes 10->25 61 172.31.37.118, 2000 unknown unknown 13->61 83 Antivirus detection for dropped file 13->83 signatures6 process7 dnsIp8 53 github.com 140.82.113.4, 443, 49690 GITHUBUS United States 16->53 55 release-assets.githubusercontent.com 185.199.108.133, 443, 49691 FASTLYUS Netherlands 16->55 45 C:\Windows\Temp\ArsHIT.exe, PE32 16->45 dropped 63 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->63 65 Powershell drops PE file 16->65 27 ArsHIT.exe 9 16->27         started        47 C:\Users\user\AppData\Local\Temp\~sys_2.bat, DOS 21->47 dropped file9 signatures10 process11 file12 49 C:\Users\user\AppData\Roaming\HitsBat.exe, PE32 27->49 dropped 51 C:\Users\user\AppData\...\ArsHIT.exe.log, CSV 27->51 dropped 85 Antivirus detection for dropped file 27->85 31 cmd.exe 1 27->31         started        33 cmd.exe 1 27->33         started        signatures13 process14 process15 35 HitsBat.exe 3 31->35         started        37 conhost.exe 31->37         started        39 timeout.exe 1 31->39         started        41 conhost.exe 33->41         started        43 schtasks.exe 1 33->43         started       
Score:
40%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/2a91f68ecb550085680a192445ad710d8a73ceb4c1cf884ac81277993098f626
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a91f68ecb550085680a192445ad710d8a73ceb4c1cf884ac81277993098f626/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/2a91f68ecb550085680a192445ad710d8a73ceb4c1cf884ac81277993098f626
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-04 23:43:09 UTC
File Type:
Text (Batch)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fki7ndwlkuaik2akdeselllrbwfhhtvuyhhyqswicj3zsmey6yta._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
51042b77cd0432083c33d32d17332f8bb196c48e8f1d075174e3ab7a8fbf9c7d
AsyncRAT
5fff8aaa7eda49e0c339f8a415f158d840f22344849f294fde8cbbd2fa00b8f3
AsyncRAT
6a24ba25482c73d193fcc208d8ae267236b870b9ab30c44cabe2dc8bfb7a1073
AsyncRAT
7d7db8dde2d6ebc5edbb5284336a3dd99f75e86952ba616f7d693d9a221c4b4d
AsyncRAT
8dcda3dacb5b770b878534c989884baa5943dff4eef2a37e71b5d93ffe3661ae
AsyncRAT
9e8c53c359ba5b038d232d80163ff1e00081fa12695b757a2affcfec37aa11c6
AsyncRAT
ee6844c262a1f73501e51fa9df9c6c993bf442c3d4b78686e3ace38b18789210
AsyncRAT
error
AsyncRAT
+ 1'914 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default defense_evasion execution persistence rat
Link:
https://tria.ge/reports/251105-jw8veagp7t/
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Deobfuscate/Decode Files or Information
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
172.31.37.118:2000
Dropper Extraction:
https://github.com/carloizm/ALLAAAAAH/releases/download/agagaga/ArsHIT.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a91f68ecb550085680a192445ad710d8a73ceb4c1cf884ac81277993098f626

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Certutil_Decode_OR_Download
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Certutil Decode
Reference:Internal Research
Rule name:obfuscated_BAT
Create hunting rule
Author:@warz_s
Description:Identifies obfuscated BAT files
Reference:https://github.com/secwarz/YaraRules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35401/

Comments