MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dfae3df892ee00d05bf3ad815512ed47781686abc467f8cb14ed48e71587518. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dfae3df892ee00d05bf3ad815512ed47781686abc467f8cb14ed48e71587518
SHA3-384 hash: 77948c6ae7e3bddad2058ad997f67e53cff2eb86cbea5debdcd8bd265eceece32df7c75b11ba144c792589558b95e622
SHA1 hash: a5d7d044f128409840b49121cca49f9e9a4b60a3
MD5 hash: 162e91f8cc85ba6454920cb7ef3786e9
humanhash: pluto-undress-yellow-triple
File name:3dfae3df892ee00d05bf3ad815512ed47781686abc467f8cb14ed48e71587518
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:7'319'702 bytes
First seen:2025-06-13 04:30:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 657e40fb09b2c5e277b865a7cf2b8089 (6 x AsyncRAT, 4 x Arechclient2, 3 x DanaBot)
ssdeep 196608:flacNtD7fKMBmiYXvWvk/7VCxRdBheyNzf1gTg8w5Ft+:taRMBmryORsdfVJAhv
Threatray 168 similar samples on MalwareBazaar
TLSH T1F1762332A152703BD2F019B3F854D2307EAC92186B5899AFC6D09C5D3CA85D66EFB347
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon b2e1b496a6cada72 (13 x LummaStealer, 12 x AsyncRAT, 8 x Rhadamanthys)
Reporter JAMESWT_WT
Tags:AsyncRAT delamanodedios7-dynuddns-com exe lindo1-dynuddns-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
444
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
https://docs.google.com/uc?export=download&id=1TeCK9SupT-wWQHRZYLObgRb6pQvNsiWB
Verdict:
Malicious activity
Analysis date:
2025-05-20 13:31:32 UTC
Tags:
rat asyncrat remote
Link:
https://app.any.run/tasks/5774f027-1a69-4a86-9789-c06161c41680

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9241/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684bac0907b5e8c1cfe6a0de
Tags:
asyncrat autorun cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Labled as:
Generik.CNFQCA trojan
Link:
https://www.hybrid-analysis.com/sample/3dfae3df892ee00d05bf3ad815512ed47781686abc467f8cb14ed48e71587518
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b416b710-ba74-4a1b-9680-6177599192b2
Result
Threat name:
AsyncRAT, DcRat, HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1713787
Signature
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Yara detected DcRat
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1713787 Sample: RbsLrVBL6z.exe Startdate: 13/06/2025 Architecture: WINDOWS Score: 100 66 lindo1.dynuddns.com 2->66 68 delamanodedios7.dynuddns.com 2->68 70 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->70 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 8 other signatures 2->86 10 RbsLrVBL6z.exe 8 2->10         started        13 ShadowSynchronizer.exe 5 2->13         started        signatures3 process4 file5 54 C:\Windows\Temp\...\RbsLrVBL6z.exe, PE32 10->54 dropped 16 RbsLrVBL6z.exe 18 10->16         started        56 C:\Users\user\AppData\Local\...\CD28DA5.tmp, PE32 13->56 dropped 92 Maps a DLL or memory area into another process 13->92 20 VirtuAgent128.exe 3 13->20         started        22 XPFix.exe 13->22         started        signatures6 process7 file8 38 C:\Windows\Temp\...\ShadowSynchronizer.exe, PE32 16->38 dropped 40 C:\Windows\Temp\...\vcruntime140.dll, PE32 16->40 dropped 42 C:\Windows\Temp\...\msvcp140.dll, PE32 16->42 dropped 44 3 other files (none is malicious) 16->44 dropped 72 Multi AV Scanner detection for dropped file 16->72 24 ShadowSynchronizer.exe 8 16->24         started        signatures9 process10 file11 46 C:\ProgramData\...\ShadowSynchronizer.exe, PE32 24->46 dropped 48 C:\ProgramData\...\vcruntime140.dll, PE32 24->48 dropped 50 C:\ProgramData\War_system_x86\msvcp140.dll, PE32 24->50 dropped 52 2 other files (none is malicious) 24->52 dropped 88 Switches to a custom stack to bypass stack traces 24->88 90 Found direct / indirect Syscall (likely to bypass EDR) 24->90 28 ShadowSynchronizer.exe 7 24->28         started        signatures12 process13 file14 58 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 28->58 dropped 60 C:\ProgramData\VirtuAgent128.exe, PE32 28->60 dropped 62 C:\Users\user\AppData\Local\...\B67F906.tmp, PE32 28->62 dropped 94 Found hidden mapped module (file has been removed from disk) 28->94 96 Maps a DLL or memory area into another process 28->96 98 Switches to a custom stack to bypass stack traces 28->98 100 Found direct / indirect Syscall (likely to bypass EDR) 28->100 32 VirtuAgent128.exe 2 28->32         started        36 XPFix.exe 2 28->36         started        signatures15 process16 dnsIp17 64 delamanodedios7.dynuddns.com 155.94.155.214, 49722, 49724, 49725 ASN-QUADRANET-GLOBALUS United States 32->64 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->74 76 Switches to a custom stack to bypass stack traces 32->76 78 Found direct / indirect Syscall (likely to bypass EDR) 32->78 signatures18
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3dfae3df892ee00d05bf3ad815512ed47781686abc467f8cb14ed48e71587518
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3dfae3df892ee00d05bf3ad815512ed47781686abc467f8cb14ed48e71587518/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hx5ohx4jf3qa2bn7hlmbkujo2r3yc2dkxrdh7dfrj3ki44kyouma._file
Verdict:
malicious
Label(s):
dcrat
Create hunting rule
Similar samples:
0fdb512ee88d71cc5bce03be7cd51df0009131dd2110b10243d62aacc48e4a72
AsyncRAT
320861ce79bd74d122cbc2db5fe41afab81e37fd8aea11efedc371e9b0db19e5
AsyncRAT
486e05b780fad9b2281a1923f8653e0c725d2fc304894cd6e9dd5bf3eccd705f
AsyncRAT
5903968dae09caf1a9042e5a0edef721716c5959aa9ffbc93f14dd84fc6dc3db
AsyncRAT
776b23bef4e7ef253ed6ada52623285b07db79c1f975dd1aabaeeeb0af901f31
AsyncRAT
b38f89519205f6183c4ce10141cbfd77aeb5406153a5440537a33a591d64e37d
AsyncRAT
b8dfa80c6a22b7168b3b6738295a472c1f8d96c932062c72a53062b04de909ea
AsyncRAT
d933e301cf2ccd346117f1016ea6fcf491486403966ad39220cff9f847714e38
AsyncRAT
e33bc5dea10df64ea281c795002acc284bce9e1430e60204a5a46e508ad9ab7a
AsyncRAT
error
AsyncRAT
+ 158 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:hijackloader botnet:dolar discovery loader rat
Link:
https://tria.ge/reports/250613-e6542sek3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Async RAT payload
AsyncRat
Asyncrat family
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Malware Config
C2 Extraction:
lindo1.dynuddns.com:8849
delamanodedios7.dynuddns.com:8849
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/62b68484-9c64-4e55-b889-2b97fbdd1266
Unpacked files
SH256 hash:
3dfae3df892ee00d05bf3ad815512ed47781686abc467f8cb14ed48e71587518
MD5 hash:
162e91f8cc85ba6454920cb7ef3786e9
SHA1 hash:
a5d7d044f128409840b49121cca49f9e9a4b60a3
Link:
https://www.unpac.me/results/15d19cc8-127e-4043-8731-bcb812bcd0c7/
SH256 hash:
9143cc4d8ecd916678f8eb655a72d3982d8d6104436da506ddcf2143e3732074
MD5 hash:
ff08f9c6d8886e59f7a6fb6cf1d426bd
SHA1 hash:
963f7259077054b2cd12bafe28ba8164fc3d8c96
Link:
https://www.unpac.me/results/15d19cc8-127e-4043-8731-bcb812bcd0c7/
SH256 hash:
2cf5525ac7c2593e6532bf07278ef492f623c6d8a265bc05a1ba0139fce126a5
MD5 hash:
eec9536fadd78732b63f38cc87d6ecad
SHA1 hash:
0194a8233431aa93194cd27cb3e85c202b86e022
Link:
https://www.unpac.me/results/15d19cc8-127e-4043-8731-bcb812bcd0c7/
SH256 hash:
3f8176bbc33f75fbcc429800461d84bcdb92d766d968220a9cc31f4cf6987271
MD5 hash:
266c6a0adda7ca07753636b1f8a69f7f
SHA1 hash:
996cc22086168cd47a19384117ee61e9eb03f99a
Link:
https://www.unpac.me/results/15d19cc8-127e-4043-8731-bcb812bcd0c7/
SH256 hash:
65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220
MD5 hash:
1d4ff3cf64ab08c66ae9a4013c89a3ac
SHA1 hash:
f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b
Link:
https://www.unpac.me/results/15d19cc8-127e-4043-8731-bcb812bcd0c7/
SH256 hash:
74e9268a68118bb1ac5154f8f327887715960ccc37ba9dabbe31ecd82dcbaa55
MD5 hash:
dc739066c9d0ca961cba2f320cade28e
SHA1 hash:
81ed5f7861e748b90c7ae2d18da80d1409d1fa05
Link:
https://www.unpac.me/results/15d19cc8-127e-4043-8731-bcb812bcd0c7/
SH256 hash:
7c0c00d7fe55cce5cc4deb15948eab7d69d61344c432aaaff168f1f15f69d78e
MD5 hash:
e98f599801e6dd5e652f830591be9438
SHA1 hash:
f3237ac703649c23e3eb3482fb0ac932d3c61801
Link:
https://www.unpac.me/results/15d19cc8-127e-4043-8731-bcb812bcd0c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3dfae3df892ee00d05bf3ad815512ed47781686abc467f8cb14ed48e71587518

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9241/

Comments