MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 414ca0982ed35b84dd95d205c4b8bafb68e877f0ddad22cad9dcec513947fb2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 30 File information Comments

SHA256 hash: 414ca0982ed35b84dd95d205c4b8bafb68e877f0ddad22cad9dcec513947fb2e
SHA3-384 hash: e4190585e2c153cf030a499fca2b1dbd39d30a4d3d428084e8f518e83a66a5f8d63e6611a677250d8ccc41f62201243e
SHA1 hash: fd3c7ee73e945a399c90006a7b6611714586572c
MD5 hash: fee046421c496e515a94002be7dce29e
humanhash: blossom-ohio-november-beer
File name:Interface_LIB.ps1
Download: download sample
Signature AsyncRAT
File size:93'417 bytes
First seen:2026-06-22 16:26:45 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:Mzrjpo2/ylBFqnLVUOYhPApYS/WTjpy1ZBg1J24eLzpIyhbfEsPe9gifNt31u6Yx:+jpo2/ylBcn1YhPAv/WTjpy1LdpIyhge
TLSH T17D93AE212A0E0133D1F746224EE5B7CAD1A174371FF62D647D7CE9C12F37016AAA1A9E
Magika powershell
Reporter BastianHein
Tags:AsyncRAT ps1

Intelligence


File Origin
# of uploads :
1
# of downloads :
129
Origin country :
CL CL
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
96.5%
Tags:
crysan virus sage remo
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-06-02T23:02:00Z UTC
Last seen:
2026-06-22T13:38:00Z UTC
Hits:
~10
Detections:
Backdoor.MSIL.Crysan.b PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Coins.sb Backdoor.MSIL.Crysan.sb Backdoor.MSIL.Crysan.d Backdoor.MSIL.Crysan.c
Gathering data
Threat name:
Win32.Trojan.Malgent
Status:
Malicious
First seen:
2026-06-03 08:06:00 UTC
File Type:
Text
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware execution persistence ransomware spyware
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:AsyncRAT_057B
Author:kirkderp
Description:AsyncRAT 0.5.7B -- minimal .NET RAT with PBKDF2 key derivation and MessagePack serialization
Reference:https://github.com/kirkderp/yara
Rule name:asyncrat_kingrat
Author:jeFF0Falltrades
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__RemoteAPI
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:Macos_Infostealer_Wallets_8e469ea0
Author:Elastic Security
Rule name:malware_asyncrat
Description:detect AsyncRat in memory
Reference:https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
Rule name:MAL_AsnycRAT
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:Mal_WIN_AsyncRat_RAT_PE
Author:Phatcharadol Thangplub
Description:Use to detect AsyncRAT implant.
Rule name:msil_suspicious_use_of_strreverse
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:Multifamily_RAT_Detection
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Generic_Threat_ce98c4bc
Author:Elastic Security
Rule name:Windows_Trojan_Asyncrat_11a11ba1
Author:Elastic Security
Rule name:win_asyncrat_bytecodes
Author:Matthew @ Embee_Research
Description:Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
Rule name:win_asyncrat_j1
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_unobfuscated
Author:Matthew @ Embee_Research
Description:Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
Rule name:win_asyncrat_w0
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments