MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59afee68c53a871b7491abefe4e660b54b8aee1b3e4781b2aaf46c8b6af82708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59afee68c53a871b7491abefe4e660b54b8aee1b3e4781b2aaf46c8b6af82708
SHA3-384 hash: 2eba45ea7e08054445597b169a07941e7c680a69f7c671d40e47b6f760e2583a8adce3e5c18aff7b9b8af374adda5fa3
SHA1 hash: 1bafba4aac95b67e86519e393dc7df3fc648f5ac
MD5 hash: 98e56e0a9b35fd7990bdd8fbfd1268ef
humanhash: beer-lamp-low-alpha
File name:59afee68c53a871b7491abefe4e660b54b8aee1b3e4781b2aaf46c8b6af82708
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:719'328 bytes
First seen:2025-08-20 14:17:29 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 26acef7e3c44d9d008d43029412ddb11 (2 x AsyncRAT)
ssdeep 12288:NfytRW1pIgYrTUdBUpuC6DcZKCvJ5UXaZmAbs8wDxp+9IUg6kMdXXEGAN10dVeM:NKjW1pIVrIdBO/6DcZKCvJ5UXOmAg1D4
Threatray 324 similar samples on MalwareBazaar
TLSH T145E4E041BAC0C4B5E55F1A350224EE774A3DB4716EAFF8CB37844A2D8A372C1A764F46
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter JAMESWT_WT
Tags:156-241-134-49 AsyncRAT dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22523/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a5d9058fd55a79c52976b3
Tags:
injection crysan obfusc virus
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint invalid-signature krypt microsoft_visual_cc obfuscated signed
Link:
https://www.filescan.io/uploads/68a5d904ba1f5bb1e60dee1f/reports/3dd65818-d887-4073-8eea-5bb180dd877e/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/59afee68c53a871b7491abefe4e660b54b8aee1b3e4781b2aaf46c8b6af82708
Malware family:
MINIBIKE
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b34ad04-6c4f-4fdc-988a-4242604b5f35
Score:
45%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/59afee68c53a871b7491abefe4e660b54b8aee1b3e4781b2aaf46c8b6af82708
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/98e56e0a9b35fd7990bdd8fbfd1268ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59afee68c53a871b7491abefe4e660b54b8aee1b3e4781b2aaf46c8b6af82708/
Verdict:
Malicious
Threat:
Backdoor.MSIL.Crysan
Link:
https://tip.neiki.dev/file/59afee68c53a871b7491abefe4e660b54b8aee1b3e4781b2aaf46c8b6af82708
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-04-03 21:20:00 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgx642gfhkdrw5ervpx6jztawvfyv3q3hzdydmvk6rwiw2xye4ea._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
3b117d869f38ab4e7c14507d969467820208dcb26f5564612cc8329c76b1f156
AsyncRAT
59afee68c53a871b7491abefe4e660b54b8aee1b3e4781b2aaf46c8b6af82708
AsyncRAT
6331ca8b268d2426749f0e579dad36513fd5d8f2489abdea7fac083109546459
AsyncRAT
79a2fa17db3d9e811ed4ee08615daeb52151ea966f5ae1b2bd1911e2bf86c3c4
AsyncRAT
7f7addef00195b936618e5033be9094859ce409b56a41ef8673fe5df20106940
AsyncRAT
8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88
AsyncRAT
dca5762afcbdd54dcbdf8c0b2de6313ba681f42bd5f958bec47891cc2a24113d
AsyncRAT
e97817e3aab6079cc0ecdd4c10d3e056e9a20af2bb91555608490c61af27b31e
AsyncRAT
error
AsyncRAT
ff1c1d6c42c8aa77fc465eea36ce1c671a78192b4ccfb3bd19c96dfde4cd182e
AsyncRAT
+ 314 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250820-rl1eaatvay/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
59afee68c53a871b7491abefe4e660b54b8aee1b3e4781b2aaf46c8b6af82708
MD5 hash:
98e56e0a9b35fd7990bdd8fbfd1268ef
SHA1 hash:
1bafba4aac95b67e86519e393dc7df3fc648f5ac
Link:
https://www.unpac.me/results/9edaeda7-8ff0-42b7-971e-d449a0149a2a/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/59afee68c53a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/59afee68c53a871b7491abefe4e660b54b8aee1b3e4781b2aaf46c8b6af82708

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/22523/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments