MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b696ba0ea5ea7f35dcd39be430a8880034490f3d1c5f2219fed2d06376a21a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b696ba0ea5ea7f35dcd39be430a8880034490f3d1c5f2219fed2d06376a21a3
SHA3-384 hash: 37c817481a68afa603a0681ea73187690cd126c441b773fefa8c22afc137661c6881c91980f21a121f3f2aba6dfc5ebc
SHA1 hash: b3cdf88e64d57dac9812564a83ace2a22ae06828
MD5 hash: 2726145d4ef3b34d3c3a566177805c39
humanhash: jersey-green-twenty-massachusetts
File name:SecuriteInfo.com.Variant.Lazy.654159.588.21676
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'829'824 bytes
First seen:2025-05-12 04:27:56 UTC
Last seen:2025-05-12 05:25:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 862916beb6672dfc43d6d8cfe584af70 (1 x AsyncRAT)
ssdeep 49152:l10A8+lOjuhUcz20LapyaCvhhg6VqXcwB4lVdOi7sCvp1JAXeoaJIWN8gKB18p17:l10A0jOUc1LatCvYgbPO8sC7JIPaJhN1
TLSH T1B1D5335320067675FDD30A3788A8253E85CDDEB00B5780EBAEDC1A46D6629E23734F76
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
652
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MicrosoftSoftware.exe
Verdict:
Malicious activity
Analysis date:
2025-05-12 03:38:10 UTC
Tags:
discordgrabber generic stealer celestialrat rat
Link:
https://app.any.run/tasks/6d6ba164-e1a0-4267-a84b-43af25945185

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Lazy.654159.588.21676.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68217a4be16384d6a703b1c4
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Connection attempt
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/682178d7c7418694c8a8d9de/reports/583d2a4b-5882-49e8-b976-bd8c5c02949c/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/2b696ba0ea5ea7f35dcd39be430a8880034490f3d1c5f2219fed2d06376a21a3
Malware family:
Sharp Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f46e9d3-8ccc-4cbf-b0be-f907885a4c6f
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1687409
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2b696ba0ea5ea7f35dcd39be430a8880034490f3d1c5f2219fed2d06376a21a3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b696ba0ea5ea7f35dcd39be430a8880034490f3d1c5f2219fed2d06376a21a3/
Threat name:
Win32.Backdoor.Asyncrat
Create hunting rule
Status:
Malicious
First seen:
2025-05-12 04:28:13 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnuwxihkl2t7gxonhg7egcuiqabujeht2hc7eim75uwqmn3kegrq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250512-e3pmwsem9v/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/36e1c8cd-0ac1-4062-8b8c-c43f8495a2a1
Unpacked files
SH256 hash:
2b696ba0ea5ea7f35dcd39be430a8880034490f3d1c5f2219fed2d06376a21a3
MD5 hash:
2726145d4ef3b34d3c3a566177805c39
SHA1 hash:
b3cdf88e64d57dac9812564a83ace2a22ae06828
Link:
https://www.unpac.me/results/a554c4c8-4674-4ab0-97b6-5929c605a12c/
SH256 hash:
6e858231fe1d43765482fcfc526c2c9c95afe85026d3432e1badd6df9c79e16f
MD5 hash:
5512286600249d0cc14ef2de7b94f3b1
SHA1 hash:
97b1ef962c477cb57172a77d9f41deddc152df25
Detections:
win_lumma_a0
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
MALWARE_Win_ArrowRAT
Create hunting rule
Link:
https://www.unpac.me/results/a554c4c8-4674-4ab0-97b6-5929c605a12c/
SH256 hash:
650f757e133cd6fc030977c4f847aeaa36eb554ba1848a291f30e4ff0ff63b8d
MD5 hash:
6bdd50f6716d0519413d840a55cd6a43
SHA1 hash:
05456650b761058aa10200e2ec6b3e97297c136d
Link:
https://www.unpac.me/results/a554c4c8-4674-4ab0-97b6-5929c605a12c/
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2b696ba0ea5e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b696ba0ea5ea7f35dcd39be430a8880034490f3d1c5f2219fed2d06376a21a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 2b696ba0ea5ea7f35dcd39be430a8880034490f3d1c5f2219fed2d06376a21a3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3541737/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsapi-ms-win-crt-runtime-l1-1-0.dll::_get_narrow_winmain_command_line

Comments