MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c28810e81ff40393cfe7f03c4723de8ac6f4b540d1c4ebbb06ec872bde495a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c28810e81ff40393cfe7f03c4723de8ac6f4b540d1c4ebbb06ec872bde495a7
SHA3-384 hash: ca64ae8ad78d38c3e029599f56e1fdf14e63c9cc592bc0e716e0a2547a5f4ec9c39d9eb373de6686043479aff558b1cc
SHA1 hash: d16040541030714cdcfa46799ea14fb9d4b076ad
MD5 hash: 522ac428063f7e10ea0ce78a4502b202
humanhash: yankee-texas-east-avocado
File name:522ac428063f7e10ea0ce78a4502b202.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:15'592'024 bytes
First seen:2025-03-20 05:42:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 393216:keymM14qGjAzv5h6OjHNG0fzF8BWnTrWlB:kkpjY7xJFwWTE
TLSH T1E2F60137F2886D2FC4AB1B314A3782A0A8377A6275128D7B97F8194C8F355506E3F746
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 6862eae4b696c66c (1 x LummaStealer, 1 x AsyncRAT)
Reporter abuse_ch
Tags:AsyncRAT exe signed

Code Signing Certificate

Organisation:Taiga Revolution Oy
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2024-12-25T19:35:55Z
Valid to:2025-12-25T19:35:55Z
Serial number: 49e5e5f9e6b6d7f24fabe0429d2e9989
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 6fc017ffffc9fdf339ec54ed1f49d0a584c9fd23ca3d4a29d7af860c30fc7cec
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
475
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
522ac428063f7e10ea0ce78a4502b202.exe
Verdict:
Malicious activity
Analysis date:
2025-03-20 05:50:18 UTC
Tags:
autoit stealer delphi inno installer rat asyncrat remote purehvnc
Link:
https://app.any.run/tasks/c3c69517-36ce-4c46-8fce-490a5591a16d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dbaacc115e7b48b48ef3b1
Tags:
asyncrat dropper virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for the window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file
Launching a process
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Setting a single autorun event
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd embarcadero_delphi expand fingerprint installer lolbin overlay packed packed packer_detected regsvr32 revoked-cert runonce signed
Link:
https://www.filescan.io/uploads/67dbaac4b93e688233efe0d1/reports/39c82966-c92c-4f58-9bdc-972a5a327421/overview
Verdict:
Malicious
Labled as:
Win32_TrojanDropper_Agent_TAX
Link:
https://www.hybrid-analysis.com/sample/5c28810e81ff40393cfe7f03c4723de8ac6f4b540d1c4ebbb06ec872bde495a7
Result
Verdict:
UNKNOWN
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a5716eb-cfbb-48c8-a00e-053c5a376e63
Result
Threat name:
PureCrypter, AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1643802
Signature
Allocates memory in foreign processes
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1643802 Sample: 6lfv0o2W3P.exe Startdate: 20/03/2025 Architecture: WINDOWS Score: 100 73 Suricata IDS alerts for network traffic 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected AsyncRAT 2->77 10 6lfv0o2W3P.exe 2 2->10         started        13 AutoIt3.exe 2->13         started        16 AutoIt3.exe 2->16         started        process3 file4 47 C:\Users\user\AppData\...\6lfv0o2W3P.tmp, PE32 10->47 dropped 18 6lfv0o2W3P.tmp 3 15 10->18         started        87 Writes to foreign memory regions 13->87 89 Allocates memory in foreign processes 13->89 91 Injects a PE file into a foreign processes 13->91 21 jsc.exe 3 13->21         started        23 jsc.exe 2 16->23         started        signatures5 process6 file7 39 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->39 dropped 41 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 18->41 dropped 43 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->43 dropped 25 6lfv0o2W3P.exe 2 18->25         started        process8 file9 45 C:\Users\user\AppData\...\6lfv0o2W3P.tmp, PE32 25->45 dropped 28 6lfv0o2W3P.tmp 5 53 25->28         started        process10 file11 49 C:\Users\user\AppData\...\AutoIt3.exe (copy), PE32 28->49 dropped 51 C:\Users\user\...\pdfsettings.dll (copy), PE32+ 28->51 dropped 53 C:\Users\user\AppData\...\npvlc.dll (copy), PE32+ 28->53 dropped 55 70 other files (none is malicious) 28->55 dropped 31 AutoIt3.exe 1 25 28->31         started        process12 file13 57 C:\...\AutoIt3.exe, PE32 31->57 dropped 59 C:\...\pdfsettings.dll, PE32+ 31->59 dropped 61 C:\...\npvlc.dll, PE32+ 31->61 dropped 63 19 other files (none is malicious) 31->63 dropped 67 Writes to foreign memory regions 31->67 69 Allocates memory in foreign processes 31->69 71 Injects a PE file into a foreign processes 31->71 35 jsc.exe 2 31->35         started        signatures14 process15 dnsIp16 65 45.152.149.6, 49725, 49735, 56001 DEDIPATH-LLCUS Netherlands 35->65 79 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 35->79 81 Found many strings related to Crypto-Wallets (likely being stolen) 35->81 83 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->83 85 4 other signatures 35->85 signatures17
Score:
68%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/5c28810e81ff40393cfe7f03c4723de8ac6f4b540d1c4ebbb06ec872bde495a7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c28810e81ff40393cfe7f03c4723de8ac6f4b540d1c4ebbb06ec872bde495a7/
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-03-16 20:45:40 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lquicdub75adsph6p4b4i4r55cwg6s2ubuoe5o5qn3ehfppeswtq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/250320-gerhpavsgv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d7adc372-80a0-4039-b6a5-476c031e03f0
Unpacked files
SH256 hash:
5c28810e81ff40393cfe7f03c4723de8ac6f4b540d1c4ebbb06ec872bde495a7
MD5 hash:
522ac428063f7e10ea0ce78a4502b202
SHA1 hash:
d16040541030714cdcfa46799ea14fb9d4b076ad
Link:
https://www.unpac.me/results/e4680e59-9071-47f4-9f90-35e1540b0080/
SH256 hash:
06afde60bacefe1ab5f38026a91d3403d8e5cd169628020ad11c604b4a059e93
MD5 hash:
aed36ae04e69fa6e1d6c714bc0c85fa1
SHA1 hash:
952b0372e856115cb5021f3b84df0fa63c128d69
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e4680e59-9071-47f4-9f90-35e1540b0080/
SH256 hash:
c65305549fdcbb5ee55a7019bed5a52ea606fdfce46c301f1144db9e376becb8
MD5 hash:
2f81e802f771ee61f59f611e80e503d1
SHA1 hash:
49a7f59aa1c04351e056ca90a423a67b70af14f3
Detections:
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e4680e59-9071-47f4-9f90-35e1540b0080/
SH256 hash:
e5c257d372af5c2714dc011602ad251b165b46d81700bf2c21f4ebdfe1d9b86a
MD5 hash:
52c3629647ad114f7ad5777a58944b6c
SHA1 hash:
30b1400a80b987af8de710389856eb892dc0ab2a
Link:
https://www.unpac.me/results/e4680e59-9071-47f4-9f90-35e1540b0080/
SH256 hash:
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
MD5 hash:
a69559718ab506675e907fe49deb71e9
SHA1 hash:
bc8f404ffdb1960b50c12ff9413c893b56f2e36f
Link:
https://www.unpac.me/results/e4680e59-9071-47f4-9f90-35e1540b0080/
SH256 hash:
55ca81f2084cdd1de0b250954fd90a688a4386aafca6c3c25cd541feba4d4ec8
MD5 hash:
329c7479a4661b8443dbf229aa4b698d
SHA1 hash:
43d0ea6f7f7284044efd0f9e89753d7f1834712c
Link:
https://www.unpac.me/results/e4680e59-9071-47f4-9f90-35e1540b0080/
SH256 hash:
6d43481f0c34f78fbb1932aef4313ce476013df2aa5aef09f251893de39f8ca9
MD5 hash:
d2c157167154ca3bbb5c1486aafef374
SHA1 hash:
aa7f9e5a73f7d62d1885c4ceb4dd98db75f435a6
Link:
https://www.unpac.me/results/e4680e59-9071-47f4-9f90-35e1540b0080/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c28810e81ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c28810e81ff40393cfe7f03c4723de8ac6f4b540d1c4ebbb06ec872bde495a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 5c28810e81ff40393cfe7f03c4723de8ac6f4b540d1c4ebbb06ec872bde495a7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3483302/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoW
kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments