MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35dad217cb9ff76d60d7f2ef1ab490f97e407ed48524a33d804df0344392d4e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35dad217cb9ff76d60d7f2ef1ab490f97e407ed48524a33d804df0344392d4e3
SHA3-384 hash: 3bf855e966b95da7a81d2764e1072364407e7412c93ed387e724da96eebce30a2ff14a21b9cfaa902eece9787c2dfd10
SHA1 hash: 0acde151c5ae90f5c2a800a3df536f6e0a6b458e
MD5 hash: a5d27281013f0a86765ea2e95a2c6253
humanhash: two-july-papa-violet
File name:phbf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:5'993'888 bytes
First seen:2025-05-08 23:33:29 UTC
Last seen:2025-05-09 07:07:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c6d9d416fc2bbaad624e187901fdd94 (3 x DCRat, 2 x AsyncRAT)
ssdeep 98304:UwgsiH4m9pYFBA14XrLhVVt0NRhws2y3c0q2stPr1evhMIRBwcOo:UwgsiYfsIff7Uc0ItDsziPo
Threatray 52 similar samples on MalwareBazaar
TLSH T1EF560084326182D7D4127C3E263DAB00D16DEC1B0E53739BF6D186F9BA2E6854BF9271
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon b28b87cba3b2f8f4 (4 x AsyncRAT, 1 x Formbook, 1 x XWorm)
Reporter TannerFilip
Tags:213-226-11-234 AsyncRAT booking ClickFix DCRat exe FakeCaptcha signed

Code Signing Certificate

Organisation:Slient
Issuer:Slient
Algorithm:sha256WithRSAEncryption
Valid from:2024-07-27T17:33:58Z
Valid to:2035-05-06T17:33:58Z
Serial number: 817d8df929ec86c7bb550ae4830354fbea38cbab
Thumbprint Algorithm:SHA256
Thumbprint: 40b09e57b4349d8eb967e2a65854fb697a8a36bcdff291f8581cdddf61c60742
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
TannerFilip
Email -> Fake Captcha -> PowerShell -> DCRat

Intelligence

File Origin
# of uploads :
2
# of downloads :
540
Origin country :
US US
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
phbf.exe
Verdict:
Malicious activity
Analysis date:
2025-05-08 23:38:48 UTC
Tags:
rat asyncrat remote auto-startup
Link:
https://app.any.run/tasks/036eb8ec-1cf5-4576-ba50-27dd5c6ff337

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.16859.16237.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681d3fef6c95617a27b625d4
Tags:
autorun virus spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-vm fingerprint microsoft_visual_cc packed packed packer_detected self-signed-cert signed
Link:
https://www.filescan.io/uploads/681d3f73c7418694c8a7ae7b/reports/78552782-7bd5-4320-aa5d-02cd6e8246e7/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/35dad217cb9ff76d60d7f2ef1ab490f97e407ed48524a33d804df0344392d4e3
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/91810d9f-32aa-4e90-8d79-6b12f7faa512
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1684988
Signature
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Compiles code for process injection (via .Net compiler)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1684988 Sample: phbf.exe Startdate: 09/05/2025 Architecture: WINDOWS Score: 100 41 shed.dual-low.s-part-0043.t-0009.t-msedge.net 2->41 43 s-part-0043.t-0009.t-msedge.net 2->43 45 casoneroutegold-prod-bggfgca0dkaag8a8.b01.azurefd.net 2->45 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 10 other signatures 2->55 9 phbf.exe 11 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\DeleteApp.url, MS 9->33 dropped 35 C:\Users\user\AppData\...\igh4kr3q.cmdline, Unicode 9->35 dropped 37 C:\Users\user\AppData\Local\...\igh4kr3q.0.cs, C++ 9->37 dropped 39 C:\Users\user\AppData\Local\...\phbf.exe.log, CSV 9->39 dropped 57 Writes to foreign memory regions 9->57 59 Allocates memory in foreign processes 9->59 61 Compiles code for process injection (via .Net compiler) 9->61 63 Injects a PE file into a foreign processes 9->63 13 MSBuild.exe 4 9->13         started        16 csc.exe 3 9->16         started        19 MSBuild.exe 9->19         started        21 MSBuild.exe 9->21         started        signatures6 process7 dnsIp8 47 213.226.113.234, 49719, 8848 PINDC-ASRU Russian Federation 13->47 23 WMIC.exe 1 13->23         started        31 C:\Users\user\AppData\Local\...\igh4kr3q.dll, PE32 16->31 dropped 25 conhost.exe 16->25         started        27 cvtres.exe 1 16->27         started        file9 process10 process11 29 conhost.exe 23->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35dad217cb9ff76d60d7f2ef1ab490f97e407ed48524a33d804df0344392d4e3/
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-05-08 23:34:06 UTC
File Type:
PE+ (Exe)
Extracted files:
19
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxnnef6lt73w2ygx6lxrvneq7f7ea7wuquskgpmajxydiq4s2trq._file
Verdict:
malicious
Label(s):
boratrat
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
30886b41903e414dc4fe410d9a85bfdc7bbaf96e1ae7130564160a97af8f75fd
AsyncRAT
326f6f4666110d3946f684fa450fa2f5e207b6fcbc6a8170a5df22c0fcc19385
AsyncRAT
35dad217cb9ff76d60d7f2ef1ab490f97e407ed48524a33d804df0344392d4e3
AsyncRAT
3695e634b502f0df0f10f5445ce9aacadff5a52fcc07870b791d52bef0e4cc47
AsyncRAT
47df6745dadac5d8ecb9c264fc93304916ea5f3be98d6fac73e24c1149cb49a8
AsyncRAT
7b1bfc840ebe3750b60cda847df58d782cd9228e5c0ee5873bad581d72d3e6e4
AsyncRAT
dee3485407d08fdd07f00447ffa96d0ae48a7aa6c0e8fd5bd7e510adfc9a5e9f
AsyncRAT
error
AsyncRAT
+ 42 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default discovery rat
Link:
https://tria.ge/reports/250508-3kgrbsdn4x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
213.226.113.234:8848
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/09c86a65-4a8b-4b9a-953f-2df0bb981871
Unpacked files
SH256 hash:
35dad217cb9ff76d60d7f2ef1ab490f97e407ed48524a33d804df0344392d4e3
MD5 hash:
a5d27281013f0a86765ea2e95a2c6253
SHA1 hash:
0acde151c5ae90f5c2a800a3df536f6e0a6b458e
Link:
https://www.unpac.me/results/166b3bdc-cde6-4e4d-a675-08f69a37da0e/
SH256 hash:
115e67c695054f4cf21e16cf1cce1365a93ccd4374e6f8363637d888f16f9f61
MD5 hash:
2883f3815cb597c887c41ffed309edaa
SHA1 hash:
bc16b6e928dce612d6ec2d99efb39108151d02d5
Link:
https://www.unpac.me/results/166b3bdc-cde6-4e4d-a675-08f69a37da0e/
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35dad217cb9f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DCRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35dad217cb9ff76d60d7f2ef1ab490f97e407ed48524a33d804df0344392d4e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dcrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:dcrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:dcrat_rkp
Create hunting rule
Author:jeFF0Falltrades
Description:Detects DCRat payloads
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_unobfuscated
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://threatfox.abuse.ch/ioc/1518504/
  
Dropping
dcrat
  
Delivery method
Distributed via e-mail link

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments