MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5accb0ea7920306c2c694ebcc2c69c61360bc681fa3ac236dd6b9e05297a465f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	5accb0ea7920306c2c694ebcc2c69c61360bc681fa3ac236dd6b9e05297a465f
SHA3-384 hash:	04ccd89f49717d360b455339035e35d2d3fa69d840d19100e34f5610cdcc2acf08a5d08be75d2cc422c9e7546460cb02
SHA1 hash:	cc795e8f5a336e9068abd236aa4ee26b535fd9da
MD5 hash:	e3db46439259a581a36f2c87f2d2f22a
humanhash:	sixteen-foxtrot-foxtrot-island
File name:	Cli_____________ent.bat
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	1'842'338 bytes
First seen:	2025-11-18 17:05:18 UTC
Last seen:	2025-12-15 06:41:02 UTC
File type:	bat
MIME type:	text/plain
ssdeep	24576:rCJv018ZRHGE8O0lW+L2QFt124Y41v6/bT5nmzchqid/NTF6KyykSNFbl:rsvLRmLF724C/btOyx6fykSNFbl
Threatray	62 similar samples on MalwareBazaar
TLSH	T199852303DAA9D46EBA9B1F38F09E1908A7837C61716D4EEB0195E4BA014AF5C78C9C47
Magika	matlab
Reporter	smica83
Tags:	208-91-189-183 AsyncRAT bat

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Cli_____________ent.bat

Verdict:

No threats detected

Analysis date:

2025-11-18 17:08:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6087a1a9-06c8-4231-9e9c-0889bc178cb2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38590/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=691ca75fbdb0ec3a9dc3211e

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a process from a recently created file

Creating a file in the %temp% directory

Enabling the 'hidden' option for recently created files

Сreating synchronization primitives

Connection attempt

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

DNS request

Setting a global event handler for the keyboard

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 evasive obfuscated powershell

Link:

https://www.filescan.io/uploads/691ca75d95709d0fdece6e6f/reports/1dddd78d-3fc2-4c4e-913c-05572acb4308/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/5accb0ea7920306c2c694ebcc2c69c61360bc681fa3ac236dd6b9e05297a465f

Verdict:

Malicious

File Type:

text

First seen:

2025-11-18T20:33:00Z UTC

Last seen:

2025-11-20T01:45:00Z UTC

Hits:

~10

Detections:

UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/5accb0ea7920306c2c694ebcc2c69c61360bc681fa3ac236dd6b9e05297a465f/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1816275

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Found large BAT file

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Powershell is started from unusual location (likely to bypass HIPS)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Renames powershell.exe to bypass HIPS

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious Executable File Creation

Suricata IDS alerts for network traffic

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5accb0ea7920306c2c694ebcc2c69c61360bc681fa3ac236dd6b9e05297a465f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5accb0ea7920306c2c694ebcc2c69c61360bc681fa3ac236dd6b9e05297a465f/

Verdict:

Malicious

Threat:

Family.ASYNCRAT

Link:

https://tip.neiki.dev/file/5accb0ea7920306c2c694ebcc2c69c61360bc681fa3ac236dd6b9e05297a465f

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=llglb2tzeaygyldjj26mfru4me3axrub7i5menw5nopakkl2izpq._file

Verdict:

malicious

Label(s):

stormkitty

asyncrat

hiddenvnc

AsyncRAT

6cf0d4b7fd3371e339d9e52aa97cf50c9f2d0e662329507579f645e83e7285fe

AsyncRAT

8abdfaddb041a5c65cf9d4971466474fa77887a62f633fd51476344ae11ce5f0

AsyncRAT

9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b

AsyncRAT

c9feb68275bd9e097ac71b17a4659c7734dabe06cf440b2cea2d06ecc13ead54

AsyncRAT

error

AsyncRAT

f470ab8df8dc7764cb726c85d9a6f5daadca98d45f34bff992a563754b484b93

AsyncRAT

+ 52 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:asyncrat family:stormkitty discovery rat stealer

Link:

https://tria.ge/reports/251118-vl4ngsgx7e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks installed software on the system

Executes dropped EXE

Async RAT payload

AsyncRat

Asyncrat family

StormKitty

StormKitty payload

Stormkitty family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5accb0ea7920306c2c694ebcc2c69c61360bc681fa3ac236dd6b9e05297a465f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/38590/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample