MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 565233cc8e4de34e543ed83307c22a381888cb10ce1c0e8059def7f55aa0df9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	565233cc8e4de34e543ed83307c22a381888cb10ce1c0e8059def7f55aa0df9d
SHA3-384 hash:	4e00cf124911ba714891a4bbf631e5894ed067bdfe20bb3bfaeafeda1a1479d5252a422f45f5695498805553e7c0d9b8
SHA1 hash:	080caa24645b6e9b36d0f16738669db20afb9277
MD5 hash:	202523455a0304032abf136acf51d250
humanhash:	muppet-green-blossom-eleven
File name:	AutoFarmer.bat
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	2'436 bytes
First seen:	2025-11-30 22:19:41 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	48:X4DY777x/rhA9Steiu5gXdm4jc5lVfkQoE96A0dXAst7ait7tmz:X4DPSteiu5gXgbjkQoE9CNvzRe
Threatray	1'742 similar samples on MalwareBazaar
TLSH	T13B411E39B2D69B1012601D60A43AEC8153A9E9DBCEF60857F5E991C64EB9308CEE45E4
TrID	45.4% (.MP3) MP3 audio (ID3 v1.x tag) (2500/1/1) 36.3% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 18.1% (.MP3) MP3 audio (1000/1)
Magika	batch
Reporter	smica83
Tags:	AsyncRAT bat

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

asyncrat

ID:

File name:

AutoFarmer.bat

Verdict:

Malicious activity

Analysis date:

2025-11-30 22:29:28 UTC

Tags:

github asyncrat susp-powershell rat remote

Link:

https://app.any.run/tasks/10455993-3445-4d2a-bcaf-e003e0cd08ce

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/41965/

Detection(s):

Sanesecurity.Malware.BadBatObs.31934.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692cc323fca025d00d47202b

Tags:

asyncrat autorun

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Running batch commands

Creating a file in the %temp% directory

Creating a window

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Unauthorized injection to a recently created process

Launching a file downloaded from the Internet

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

certutil certutil lolbin obfuscated timeout

Link:

https://www.filescan.io/uploads/692cc31fd0d5e7288b51c4c4/reports/7b977dec-6b4e-46a2-a717-d30eec1b9344/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/565233cc8e4de34e543ed83307c22a381888cb10ce1c0e8059def7f55aa0df9d

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-29T22:08:00Z UTC

Last seen:

2025-12-01T11:08:00Z UTC

Hits:

~100

Detections:

Backdoor.Agent.TCP.C&C Trojan-Downloader.PowerShell.Agent.sb HEUR:Backdoor.MSIL.Crysan.gen HEUR:Backdoor.BAT.Crysan.gen Backdoor.MSIL.Crysan.d Backdoor.MSIL.Crysan.b Trojan.VBS.Runner.sb HEUR:Trojan.Win32.Generic HEUR:Backdoor.MSIL.SheetRat.gen Backdoor.MSIL.Crysan.sb Trojan.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/565233cc8e4de34e543ed83307c22a381888cb10ce1c0e8059def7f55aa0df9d/results?tab=lookup

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1823216

Signature

Antivirus detection for dropped file

Bypasses PowerShell execution policy

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Powershell drops PE file

Sample uses string decryption to hide its real strings

Sigma detected: Legitimate Application Dropped Script

Sigma detected: Powershell download and execute file

Sigma detected: PowerShell DownloadFile

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download and execute files (via powershell)

Yara detected AsyncRAT

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/565233cc8e4de34e543ed83307c22a381888cb10ce1c0e8059def7f55aa0df9d/

Verdict:

Malicious

Threat:

Family.ASYNCRAT

Link:

https://tip.neiki.dev/file/565233cc8e4de34e543ed83307c22a381888cb10ce1c0e8059def7f55aa0df9d

Threat name:

Script.Trojan.Generic

Status:

Suspicious

First seen:

2025-11-29 03:28:21 UTC

AV detection:

4 of 38 (10.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kzjdhteojxru4vb63azqpqrkhamirsyqzyoa5acz3337kwva36oq._file

Verdict:

malicious

Label(s):

asyncrat

AsyncRAT

5e088f3ae8bf2631e5aaa8de2facd537a65ef5e269924213e14ee41d94b6a446

AsyncRAT

70edef5a9165f8776f6bde6c60108c0bbcc33e7d10e07d16024bfedf70ec008b

AsyncRAT

7c8c576731dd13174bd9289726bc59c98fa0db27515da65d5f3434c5c2921d02

AsyncRAT

7f14cf5740bb204942ae69690aea4bb17dea9bee17323311a6613c766a716b24

AsyncRAT

c5a9d2df9a41e3b205f0c1d0b888b9e190734481a5d2dbf6e9bd490ae2a4a7eb

AsyncRAT

dfd94151544cfefdfdfc52c9904e295d76d3240b4f6b77728e45096e84da4339

AsyncRAT

error

AsyncRAT

+ 1'732 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default defense_evasion discovery execution rat

Link:

https://tria.ge/reports/251130-187xbabx3f/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Deobfuscate/Decode Files or Information

Legitimate hosting services abused for malware hosting/C2

Executes dropped EXE

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Async RAT payload

AsyncRat

Asyncrat family

Malware Config

C2 Extraction:

16.171.20.89:1337

Dropper Extraction:

https://github.com/demirakcabelen-jpg/ddq/raw/refs/heads/main/McFarmer.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_Encoded_Powershell_Directives Create hunting rule

Rule name:	Certutil_Decode_OR_Download Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Certutil Decode
Reference:	Internal Research

Rule name:	obfuscated_BAT Create hunting rule
Author:	@warz_s
Description:	Identifies obfuscated BAT files
Reference:	https://github.com/secwarz/YaraRules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/41965/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample