MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 49 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a
SHA3-384 hash: e8d320f58965585e7eaff974c430811540807d125dc437432550cee830808a273d8d99b177a3913b9eea4c708eaba798
SHA1 hash: 442773850054396acc4850008f634f257654f886
MD5 hash: 12e55a6344f698d3739971befdbe4105
humanhash: thirteen-carolina-thirteen-washington
File name:BBVA SWIFT103 Message-pdf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:3'066'880 bytes
First seen:2025-07-16 03:15:44 UTC
Last seen:2025-07-22 10:40:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 49152:GVg5tQ7ary6s6y36MQ+Iu2Xo00ZxEThYkEFC4tfBDcP0k5:Ig56P6sDpIu2XNlithcP
TLSH T1DBE5021363DD83A4C3725273BA5A7701AEBB7C2506A5F96B2FD40D3CE920122525EB73
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter abuse_ch
Tags:AsyncRAT BBVA exe RAT VenomRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
47
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BBVA SWIFT103 Message-pdf.exe
Verdict:
No threats detected
Analysis date:
2025-07-16 03:39:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0d23cc9b-8866-4528-bfe3-d6a740c89f9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
StormKitty
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14742/
Detection(s):
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6877198c3e506f63f5a3fbcc
Tags:
underscore autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint keylogger microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6877198f7bc45bdee1adbdf8/reports/a4a64a46-7ed2-421c-aa27-cbdc71fdef78/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a
Malware family:
Stealerium Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0310b0c4-c696-494d-8d88-441729418f0a
Result
Threat name:
AsyncRAT, KeyLogger, StormKitty, VenomRA
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1737701
Signature
Binary is likely a compiled AutoIt script file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected Keylogger Generic
Yara detected StormKitty Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/12e55a6344f698d3739971befdbe4105
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-07-14 22:04:38 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=miteqomctjvjsjdukqgr7ykuqlx7rddqt7mkburv6rh6kjsj54na._file
Verdict:
malicious
Label(s):
unc_loader_036
Create hunting rule
asyncrat
Create hunting rule
stormkitty
Create hunting rule
autoit
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250716-dsn3yabj41/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0594387a-9117-4330-83d0-dd94212c132b
Unpacked files
SH256 hash:
62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a
MD5 hash:
12e55a6344f698d3739971befdbe4105
SHA1 hash:
442773850054396acc4850008f634f257654f886
Link:
https://www.unpac.me/results/f6e5edc8-b8b1-42b6-ba7e-14abbbb17686/
SH256 hash:
291875f63d57c5b50a0c492e14c681317f03e6d11f464eb144bf9a2ee4c7b3a8
MD5 hash:
9dc9426c8dc330ee98a6979400d6cdb2
SHA1 hash:
32527680deadf92229c5243cba9818a459f20265
Detections:
MALWARE_Win_DLAgent10
Create hunting rule
Link:
https://www.unpac.me/results/f6e5edc8-b8b1-42b6-ba7e-14abbbb17686/
Parent samples :
62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a
af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980
6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62
SH256 hash:
ab47605ffd91925cd3c2637962523122bf4eb73ab8ba48a8097726cad2601a2d
MD5 hash:
1c6ce7519b040a443d31b4d1d0ae8d6d
SHA1 hash:
a6c91f503ebbb157a7de77ceb7c3606bf90980bb
Link:
https://www.unpac.me/results/f6e5edc8-b8b1-42b6-ba7e-14abbbb17686/
SH256 hash:
121c1c66d5fb31cc90c9febb6c98a8b6e5144139990d2ed12161c9fe6fcb7f12
MD5 hash:
5d26a40958fdc065bbe8135b3744c6b0
SHA1 hash:
b3b9bfc1bbdd2c78581992868150b6855ca7bc6e
Detections:
AsyncRAT
Create hunting rule
DiscordRatWebcamGrabber
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_StormKitty
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_DLAgent10
Create hunting rule
MALWARE_Win_ArrowRAT
Create hunting rule
Link:
https://www.unpac.me/results/f6e5edc8-b8b1-42b6-ba7e-14abbbb17686/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:ffdroider
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked ffdroider stealer malware samples.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many VPN software clients. Observed in infosteslers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
Author:ditekSHen
Description:Detects executables with interest in wireless interface using netsh
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Win_ArrowRAT
Create hunting rule
Author:ditekSHen
Description:Detects ArrowRAT
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_DLAgent10
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:Mal_WIN_AsyncRat_RAT_PE
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect AsyncRAT implant.
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:venomrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Windows_Generic_Threat_21253888
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_2bb6f41d
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_DCRat_1aeea1ac
Create hunting rule
Author:Elastic Security
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14742/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments