MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 15 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e
SHA3-384 hash: 3b5f0a1871461369d516f4fbb28fc59a1201471ffdfceda4801d8f74d33416cd5e95c6a4e9897e38452057cc2e3a6e1d
SHA1 hash: 3174f75e4b17e97f4423a469ae272a88bca872eb
MD5 hash: 7d63d08d9dcacfd48ba9844e19d70454
humanhash: yellow-quiet-queen-wyoming
File name:Zalo.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:477'184 bytes
First seen:2026-01-30 19:48:49 UTC
Last seen:2026-01-31 12:03:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'793 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep 1536:usCHzmUt6cKGbbEwZsrXyG9VQP2Y962Jr3tzDX0OVclN:uTzmUkbGbbEcePQbJr3tnk0Y
Threatray 2'522 similar samples on MalwareBazaar
TLSH T139A4B1F12396C15CE0BB4BB75D6241FC027ABD322036D6097C84769F5A7AFC674231A6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Anonymous
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
DcRat PostExploitTool
Details
DcRat
c2 socket addresses, a version, a mutex, an SSL certificate and server signature, an interval, varying flags, and possibly a filepath and a group
Link:
https://research.acce.ciphertechsolutions.com/results/d2814310-7da3-4925-80b5-88464892a2de/
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
_5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e.exe
Verdict:
Malicious activity
Analysis date:
2026-01-30 19:50:03 UTC
Tags:
auto-reg asyncrat
Link:
https://app.any.run/tasks/b7ab6d82-afa7-4f20-b9d9-f74c24fdfc32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/50928/
Detection(s):
Win.Packed.Razy-9807129-0
Create hunting rule

Win.Malware.Generickdz-9865912-0
Create hunting rule

Win.Trojan.AsyncRAT-9914220-0
Create hunting rule

Win.Malware.Zusy-10034587-0
Create hunting rule

Win.Packed.Generickdz-10058942-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697d0b49d93e7233498bebab
Tags:
asyncrat autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm asyncrat base64 configsecuritypolicy evasive fingerprint hacktool lolbin mpcmdrun msconfig razy reconnaissance regedit schtasks vbnet
Link:
https://www.filescan.io/uploads/697d0b45930564ff3c7f75c7/reports/31028410-9318-4b88-a015-afceb5d6cbea/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-30T16:53:00Z UTC
Last seen:
2026-02-01T13:25:00Z UTC
Hits:
~100
Detections:
Backdoor.MSIL.Crysan.d PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agent.gen HEUR:Backdoor.MSIL.SheetRat.gen HEUR:Backdoor.MSIL.DcRat.gen PDM:Trojan.Win32.Tasker.cust Trojan.MSIL.DInvoke.sb HEUR:Trojan.MSIL.Agent.gen Backdoor.MSIL.Darkrat.sb Backdoor.MSIL.Crysan.sb
Link:
https://opentip.kaspersky.com/5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a196823-682e-4bbe-858b-adf497ac912f
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e
Gathering data
Detection:
dcrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e/
Verdict:
Malicious
Threat:
Family.ANARCHYRAT
Link:
https://tip.neiki.dev/file/5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2026-01-30 19:49:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltcfiwqilpl66jvmpsbzed4o2hfopgmduxuqft6gakiakpkliopa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
09a8ffc1121140f4f6969630e2ada1f9f3766917260871f8d0437c16557d9e86
AsyncRAT
76123bdf89c69344ccbf5a7770d92c40d49adcde963a9546054aa783fb6b581d
AsyncRAT
7938e7b6dfe01efb34a4186ea425fb5003c67b0637e6919800ed246e3e57f7f4
AsyncRAT
808fb4904d102f9ca6bc523db3be820d7614230f843ae128ddf86f946e8980f7
AsyncRAT
851afa6f3343202f7cf017e1b4e7ada2063132ad3e726c26fc33e1d657e24586
AsyncRAT
9add4b744ba1937057ff7b5a0e2b1e86e4a4cfff53faa012bd0f49d22dfdff7b
AsyncRAT
ccc6f088e6a1b9c9bcee3af6e5baa094e868b111ea4f62cb377db909b1398ba8
AsyncRAT
e36f23a8fa59e0d256c28bb433e5e357fe43b5eb14651bc983ef9c043ed25cc2
AsyncRAT
e54f398b81ea6cd06564536964e061bc0384607daa4a0ea577c502746fb4f745
AsyncRAT
error
AsyncRAT
f41c17f9bba9c25464b3055ba41f032a93384306dc1c555f62ef4b83f44fe751
AsyncRAT
+ 2'512 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:horizon defense_evasion execution persistence rat
Link:
https://tria.ge/reports/260130-yjt8tafs7a/
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
sunwin8.it.com:8848
sunwin8.it.com:443
sunwin8.it.com:8080
sunwin8.it.com:80
sunwin8.it.com:8888
sunwin8.it.com:2053
sunwin8.it.com:2083
sunwin8.it.com:2087
sunwin8.it.com:2096
sunwin8.it.com:4782
hitclubs.it.com:8848
hitclubs.it.com:443
hitclubs.it.com:8080
hitclubs.it.com:80
hitclubs.it.com:8888
hitclubs.it.com:2053
hitclubs.it.com:2083
hitclubs.it.com:2087
hitclubs.it.com:2096
hitclubs.it.com:4782
wickerwear.uk.com:8848
wickerwear.uk.com:443
wickerwear.uk.com:8080
wickerwear.uk.com:80
wickerwear.uk.com:8888
wickerwear.uk.com:2053
wickerwear.uk.com:2083
wickerwear.uk.com:2087
wickerwear.uk.com:2096
wickerwear.uk.com:4782
fastloanapproval.us.com:8848
fastloanapproval.us.com:443
fastloanapproval.us.com:8080
fastloanapproval.us.com:80
fastloanapproval.us.com:8888
fastloanapproval.us.com:2053
fastloanapproval.us.com:2083
fastloanapproval.us.com:2087
fastloanapproval.us.com:2096
fastloanapproval.us.com:4782
piedra.mex.com:8848
piedra.mex.com:443
piedra.mex.com:8080
piedra.mex.com:80
piedra.mex.com:8888
piedra.mex.com:2053
piedra.mex.com:2083
piedra.mex.com:2087
piedra.mex.com:2096
piedra.mex.com:4782
hit-club.de.com:8848
hit-club.de.com:443
hit-club.de.com:8080
hit-club.de.com:80
hit-club.de.com:8888
hit-club.de.com:2053
hit-club.de.com:2083
hit-club.de.com:2087
hit-club.de.com:2096
hit-club.de.com:4782
taihitclub.it.com:8848
taihitclub.it.com:443
taihitclub.it.com:8080
taihitclub.it.com:80
taihitclub.it.com:8888
taihitclub.it.com:2053
taihitclub.it.com:2083
taihitclub.it.com:2087
taihitclub.it.com:2096
taihitclub.it.com:4782
piscina.mex.com:8848
piscina.mex.com:443
piscina.mex.com:8080
piscina.mex.com:80
piscina.mex.com:8888
piscina.mex.com:2053
piscina.mex.com:2083
piscina.mex.com:2087
piscina.mex.com:2096
piscina.mex.com:4782
hitclubapk.it.com:8848
hitclubapk.it.com:443
hitclubapk.it.com:8080
hitclubapk.it.com:80
hitclubapk.it.com:8888
hitclubapk.it.com:2053
hitclubapk.it.com:2083
hitclubapk.it.com:2087
hitclubapk.it.com:2096
hitclubapk.it.com:4782
www.sunwin8.it.com:8848
www.sunwin8.it.com:443
www.sunwin8.it.com:8080
www.sunwin8.it.com:80
www.sunwin8.it.com:8888
www.sunwin8.it.com:2053
www.sunwin8.it.com:2083
www.sunwin8.it.com:2087
www.sunwin8.it.com:2096
www.sunwin8.it.com:4782
www.hitclubs.it.com:8848
www.hitclubs.it.com:443
www.hitclubs.it.com:8080
www.hitclubs.it.com:80
www.hitclubs.it.com:8888
www.hitclubs.it.com:2053
www.hitclubs.it.com:2083
www.hitclubs.it.com:2087
www.hitclubs.it.com:2096
www.hitclubs.it.com:4782
www.wickerwear.uk.com:8848
www.wickerwear.uk.com:443
www.wickerwear.uk.com:8080
www.wickerwear.uk.com:80
www.wickerwear.uk.com:8888
www.wickerwear.uk.com:2053
www.wickerwear.uk.com:2083
www.wickerwear.uk.com:2087
www.wickerwear.uk.com:2096
www.wickerwear.uk.com:4782
www.fastloanapproval.us.com:8848
www.fastloanapproval.us.com:443
www.fastloanapproval.us.com:8080
www.fastloanapproval.us.com:80
www.fastloanapproval.us.com:8888
www.fastloanapproval.us.com:2053
www.fastloanapproval.us.com:2083
www.fastloanapproval.us.com:2087
www.fastloanapproval.us.com:2096
www.fastloanapproval.us.com:4782
www.piedra.mex.com:8848
www.piedra.mex.com:443
www.piedra.mex.com:8080
www.piedra.mex.com:80
www.piedra.mex.com:8888
www.piedra.mex.com:2053
www.piedra.mex.com:2083
www.piedra.mex.com:2087
www.piedra.mex.com:2096
www.piedra.mex.com:4782
www.hit-club.de.com:8848
www.hit-club.de.com:443
www.hit-club.de.com:8080
www.hit-club.de.com:80
www.hit-club.de.com:8888
www.hit-club.de.com:2053
www.hit-club.de.com:2083
www.hit-club.de.com:2087
www.hit-club.de.com:2096
www.hit-club.de.com:4782
www.taihitclub.it.com:8848
www.taihitclub.it.com:443
www.taihitclub.it.com:8080
www.taihitclub.it.com:80
www.taihitclub.it.com:8888
www.taihitclub.it.com:2053
www.taihitclub.it.com:2083
www.taihitclub.it.com:2087
www.taihitclub.it.com:2096
www.taihitclub.it.com:4782
www.piscina.mex.com:8848
www.piscina.mex.com:443
www.piscina.mex.com:8080
www.piscina.mex.com:80
www.piscina.mex.com:8888
www.piscina.mex.com:2053
www.piscina.mex.com:2083
www.piscina.mex.com:2087
www.piscina.mex.com:2096
www.piscina.mex.com:4782
www.hitclubapk.it.com:8848
www.hitclubapk.it.com:443
www.hitclubapk.it.com:8080
www.hitclubapk.it.com:80
www.hitclubapk.it.com:8888
www.hitclubapk.it.com:2053
www.hitclubapk.it.com:2083
www.hitclubapk.it.com:2087
www.hitclubapk.it.com:2096
www.hitclubapk.it.com:4782
Unpacked files
SH256 hash:
5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e
MD5 hash:
7d63d08d9dcacfd48ba9844e19d70454
SHA1 hash:
3174f75e4b17e97f4423a469ae272a88bca872eb
Detections:
AsyncRAT
Create hunting rule
DCRat
Create hunting rule
Link:
https://www.unpac.me/results/007f7ecc-cee0-468e-b0da-f415519c7ae8/
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5cc4545a085b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:dcrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:dcrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:dcrat_rkp
Create hunting rule
Author:jeFF0Falltrades
Description:Detects DCRat payloads
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:Mal_WIN_AsyncRat_RAT_PE
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect AsyncRAT implant.
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_unobfuscated
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e

(this sample)

Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50928/

Comments


Avatar
commented on 2026-01-30 19:51:10 UTC

RAT King Parser (https://github.com/jeFF0Falltrades/rat_king_parser) Output:

{
"sha256": "5cc4545a085bd7ef26ac7c83920f8ed1cae79983a5e902cfc60290053d4b439e",
"yara_possible_family": "dcrat",
"key": "17a424f15a7ddce620229099ca2d45a47400181648842e17ad62a92e6ac707e1",
"salt": "4463526174427971777164616e6368756e",
"config": {
"Ports": [
"8848",
"443",
"8080",
"80",
"8888",
"2053",
"2083",
"2087",
"2096",
"4782"
],
"Hosts": [
"sunwin8.it.com",
"hitclubs.it.com",
"wickerwear.uk.com",
"fastloanapproval.us.com",
"piedra.mex.com",
"hit-club.de.com",
"taihitclub.it.com",
"piscina.mex.com",
"hitclubapk.it.com",
"www.sunwin8.it.com",
"www.hitclubs.it.com",
"www.wickerwear.uk.com",
"www.fastloanapproval.us.com",
"www.piedra.mex.com",
"www.hit-club.de.com",
"www.taihitclub.it.com",
"www.piscina.mex.com",
"www.hitclubapk.it.com"
],
"Version": " 1.0.7",
"Install": "true",
"InstallFolder": "%AppData%",
"InstallFile": "Zalo.exe",
"Key": "SEtPS0NISVYyc3ZCdUpPWmttd3ZyVWNDUmhrTmJzb2s=",
"Mutex": "TSCC_ImperiumStrategic_TitanLock_1j2k3l4m",
"Certificate": "MIICMDCCAZmgAwIBAgIVALV2hi3nDM88rPB/M+k+VIWkqiwpMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI1MDQxMDE0MzgxNFoXDTM2MDExODE0MzgxNFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALu1/TPbf4WQAMY4lBsw1V9BE5NJoMEVaoZJpruwyZmgadVZ7ePGdMWMsG3k+/NF6Cz1dZE613KPO6z0hVyPisWurgoyGYMtg6jUuIL/H3x9IvUm2Riz8oMduRAGRMRI1iIEvoiwslly4ETLcdz8rrmic00CCAd8diqjbvWOHwcFAgMBAAGjMjAwMB0GA1UdDgQWBBRs6/fysekOOsqmPQXMl1JdplMoajAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAExlcGELH6yyl+ijRGy5jh75mPg6zxed3//3cSuqPHMMdkK/N/q1d9BEqy7py30aJrpDiMXRJedqa8xyHRfLoEQ7k8P7IFRsIeLBXZuSOICorcn8jwyTumKR+RIkNfIZvM49g7MLXqXTaPGELWi2Yr9qJi5xwMxl0UeqJfqXgmDE",
"Serversignature": "mnJaj8XJUt0W8HTUz9A8xJ9dQV1dtKWZePRhu9T/jROFXoCIvlrd36ZqDmrCeczB+3fMXkr8iuqXkb7j+yq4cxibMYhJEsj0GAvYs6N3p6sQGGqoC+lvcfKYkVG2A80TRghswfmjFD10wsV0M1NlZ3gVHH0eJFNbwXGfo6ORWYA=",
"Pastebin": "null",
"BSOD": "false",
"Hwid": "null",
"Delay": "1",
"Group": "Horizon",
"AntiProcess": "false",
"Anti": "false"
}
}