MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 366c234f5366bcc4e2205909b81c843e50836fa2cb23821b48a16248769d1295. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	366c234f5366bcc4e2205909b81c843e50836fa2cb23821b48a16248769d1295
SHA3-384 hash:	7df27ae37e3532c32390c6a16b4fde573abf7507adb7a5df3280cc78db88b4b748131172437dcf7de777c760f86173f3
SHA1 hash:	84fc15ff667b9fdc1b50414c13d7fd26de9682a9
MD5 hash:	f66ce0b6aa4fa67d804488e24fb96e29
humanhash:	lithium-mirror-kansas-pip
File name:	ELECTO_LPO#26202_Order_Scan_Doc_MQB300.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	915'968 bytes
First seen:	2025-07-28 07:11:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bc6e82ee7e84228f9f9c6d17bb721341 (1 x RemcosRAT, 1 x AsyncRAT, 1 x DBatLoader)
ssdeep	24576:1rtPZjrTXnVaJjQJOGQl38aJiufsdSJh2Ix:1r51jnEtQuD2Ix
Threatray	168 similar samples on MalwareBazaar
TLSH	T13615B01FAE525837D12219744FE7B3E51829BE332E28ADC66BF40E9C4F397517928243
TrID	89.2% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 5.7% (.EXE) InstallShield setup (43053/19/16) 1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.4% (.EXE) Win64 Executable (generic) (10522/11/4) 0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	e8e0a2a4a2a088a0 (1 x RemcosRAT, 1 x AsyncRAT, 1 x DBatLoader)
Reporter	Anonymous
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0b459667-1a05-4d11-a5a2-c4b2b4d09055.zip

Verdict:

Malicious activity

Analysis date:

2025-07-27 09:17:40 UTC

Tags:

arch-email attachments attc-arch m0yv evasion stealer exfiltration smtp ultravnc rmm-tool delphi

Link:

https://app.any.run/tasks/8afd4abf-5613-4e0c-808d-1d4a1d7535d9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/17272/

Detection(s):

Win.Trojan.Modiloader-10042434-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688722a20b4775fb2132931f

Tags:

autorun delphi emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Connection attempt to an infection source

DNS request

Connection attempt

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context borland_delphi explorer fingerprint keylogger lolbin obfuscated

Link:

https://www.filescan.io/uploads/6887229e13488cfd44db6437/reports/d61b6194-850d-479b-ada5-d1203c99c3d9/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/366c234f5366bcc4e2205909b81c843e50836fa2cb23821b48a16248769d1295

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e0528035-59a6-4045-b8f0-1b758462aadf

Score:

86%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/366c234f5366bcc4e2205909b81c843e50836fa2cb23821b48a16248769d1295

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/f66ce0b6aa4fa67d804488e24fb96e29

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/366c234f5366bcc4e2205909b81c843e50836fa2cb23821b48a16248769d1295/

Verdict:

Malicious

Threat:

Trojan-PSW.Win32.Agensla

Link:

https://tip.neiki.dev/file/366c234f5366bcc4e2205909b81c843e50836fa2cb23821b48a16248769d1295

Threat name:

Win32.Trojan.DBatLoader

Status:

Malicious

First seen:

2025-07-26 09:58:39 UTC

File Type:

PE (Exe)

Extracted files:

119

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gzwcgt2tm26mjyralee3qheehziig35czmryeg2iufreq5u5ckkq._file

Verdict:

malicious

Label(s):

expiro

dbatloader

asyncrat

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader discovery execution persistence trojan

Link:

https://tria.ge/reports/250728-hz529ack7t/

Behaviour

Scheduled Task/Job: Scheduled Task

Script User-Agent

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Legitimate hosting services abused for malware hosting/C2

ModiLoader Second Stage

ModiLoader, DBatLoader

Modiloader family

Verdict:

Malicious

Tags:

Win.Trojan.Modiloader-10042434-0 Expiro

YARA:

n/a

Link:

https://app.threat.zone/submission/a0b98583-38a7-49fc-94d5-7a48705dd7a3

Unpacked files

SH256 hash:

366c234f5366bcc4e2205909b81c843e50836fa2cb23821b48a16248769d1295

MD5 hash:

f66ce0b6aa4fa67d804488e24fb96e29

SHA1 hash:

84fc15ff667b9fdc1b50414c13d7fd26de9682a9

Link:

https://www.unpac.me/results/1777e26f-4eb5-4fc5-8d07-575973d226b0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/366c234f5366bcc4e2205909b81c843e50836fa2cb23821b48a16248769d1295

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/17272/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteA shell32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetFileAttributesA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_TRUST_API	Uses Windows Trust API	wintrust.dll::WinVerifyTrust
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::EmptyClipboard user32.dll::FindWindowA user32.dll::OpenClipboard user32.dll::PeekMessageA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample