MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62
SHA3-384 hash: 21f3264ade5ec1454ad27e1e23c046f1311a7f873f58e3458332f60508d1678a8addde1d67607741cd2135c1bd46ac9f
SHA1 hash: a70eae89919f9dc6f8ffbbb9e1815f4740fd32b0
MD5 hash: b3c385e62840b4256e793f8f4ce39c58
humanhash: arizona-alabama-avocado-carpet
File name:b3c385e62840b4256e793f8f4ce39c58.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:4'052'480 bytes
First seen:2025-09-11 06:21:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9391c4d011b74463c0b80c8ef62af14 (4 x LummaStealer, 2 x Rhadamanthys, 1 x NanoCore)
ssdeep 98304:T7OeKrxh9zZXr2Zumd7nX6U53RYSlyG/2:T7OeKV3F7iBdj1mSlm
Threatray 58 similar samples on MalwareBazaar
TLSH T1A216334390F3A1A7F613E1F02A38D968583DF9B33E384EDB6154E13962658D20777A1B
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
cfc62fbe176cefe081ffcd7666655a3a.exe
Verdict:
Malicious activity
Analysis date:
2025-09-10 22:25:26 UTC
Tags:
lumma stealer amadey auto redline botnet arch-exec loader anti-evasion darkvision remote stealc vidar auto-reg nanocore rat coinminer miner purecrypter rdp purelogs gcleaner github
Link:
https://app.any.run/tasks/900bba29-36cd-4bb0-8c4f-5d2334f7da15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ArrowRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26833/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c26aac6e66ba602d7a43bc
Tags:
infosteal asyncrat autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a file in the %temp% directory
Creating a file
Launching a process
Connecting to a non-recommended domain
Connection attempt
Creating a window
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt keylogger microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68c26a75dbc6f5a29c3f86c8/reports/1563e3e7-c072-491a-8bbd-a245256ba9e3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-10T19:32:00Z UTC
Last seen:
2025-09-10T19:32:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62/results?tab=lookup
Malware family:
Stealerium Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c20f9580-43c2-491a-a557-73b2e3f3ab40
Result
Threat name:
KeyLogger, StormKitty, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775335
Signature
Antivirus detection for dropped file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BrowserPasswordDump
Yara detected Keylogger Generic
Yara detected StormKitty Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1775335 Sample: 278sVyOCpi.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 10 other signatures 2->62 8 278sVyOCpi.exe 4 2->8         started        12 Wihnup.exe 2 2->12         started        process3 dnsIp4 40 C:\Users\user\AppData\...\SUbQabJNA7.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\...\DrczEHdTGH.exe, PE32 8->42 dropped 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->66 15 SUbQabJNA7.exe 8 8->15         started        19 DrczEHdTGH.exe 1 8->19         started        21 conhost.exe 8->21         started        48 45.88.186.245, 4449, 49681, 49686 ANONYMIZEEpikNetworkCH Netherlands 12->48 68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->72 file5 signatures6 process7 file8 44 C:\Users\user\AppData\Roaming\Wihnup.exe, PE32 15->44 dropped 46 C:\Users\user\AppData\...\SUbQabJNA7.exe.log, CSV 15->46 dropped 50 Antivirus detection for dropped file 15->50 52 Multi AV Scanner detection for dropped file 15->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->54 23 cmd.exe 1 15->23         started        26 cmd.exe 1 15->26         started        28 conhost.exe 19->28         started        signatures9 process10 signatures11 64 Uses schtasks.exe or at.exe to add and modify task schedules 23->64 30 conhost.exe 23->30         started        32 schtasks.exe 1 23->32         started        34 conhost.exe 26->34         started        36 timeout.exe 1 26->36         started        38 Wihnup.exe 26->38         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-10 22:21:58 UTC
File Type:
PE (Exe)
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjqxexgaoxjuh5fioxyfizzs3g455ai67pc2e26g7xdcyhkdz5ra._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
6cf0d4b7fd3371e339d9e52aa97cf50c9f2d0e662329507579f645e83e7285fe
AsyncRAT
8abdfaddb041a5c65cf9d4971466474fa77887a62f633fd51476344ae11ce5f0
AsyncRAT
9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b
AsyncRAT
af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980
AsyncRAT
c9feb68275bd9e097ac71b17a4659c7734dabe06cf440b2cea2d06ecc13ead54
AsyncRAT
error
AsyncRAT
+ 48 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty defense_evasion discovery execution persistence rat stealer
Link:
https://tria.ge/reports/250911-g8vgfawmy6/
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Async RAT payload
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b4e520ca-75ef-4689-91c3-2ad12ae2450d
Unpacked files
SH256 hash:
291875f63d57c5b50a0c492e14c681317f03e6d11f464eb144bf9a2ee4c7b3a8
MD5 hash:
9dc9426c8dc330ee98a6979400d6cdb2
SHA1 hash:
32527680deadf92229c5243cba9818a459f20265
Detections:
MALWARE_Win_DLAgent10
Create hunting rule
Link:
https://www.unpac.me/results/1ef5c4ea-c21f-4cf3-8be3-32638e214ff4/
Parent samples :
62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a
af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980
6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62
SH256 hash:
a6abeace42b54b568eee804b7941fd3aa20fb86dff9fdf53e1b20ca501096626
MD5 hash:
94bbc9159debb0a28251c42890dbefb4
SHA1 hash:
33c847acc735aeaa6358e4d6b2d8bb1d0a932f82
Link:
https://www.unpac.me/results/1ef5c4ea-c21f-4cf3-8be3-32638e214ff4/
SH256 hash:
8dfdc63747cce6d56dd0c92efb12a8627486855a5959b6dc87ddd7a57ceb0820
MD5 hash:
052b03ef23ee2f75067628abfe8faf1e
SHA1 hash:
4b2bcb85bb26e693beae940cf2172cb77891ddb0
Detections:
AsyncRAT
Create hunting rule
DiscordRatWebcamGrabber
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_StormKitty
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_DLAgent10
Create hunting rule
MALWARE_Win_ArrowRAT
Create hunting rule
Link:
https://www.unpac.me/results/1ef5c4ea-c21f-4cf3-8be3-32638e214ff4/
SH256 hash:
ab47605ffd91925cd3c2637962523122bf4eb73ab8ba48a8097726cad2601a2d
MD5 hash:
1c6ce7519b040a443d31b4d1d0ae8d6d
SHA1 hash:
a6c91f503ebbb157a7de77ceb7c3606bf90980bb
Link:
https://www.unpac.me/results/1ef5c4ea-c21f-4cf3-8be3-32638e214ff4/
SH256 hash:
41d7da706f0cf613df768b6795cd09c5c1035f9f101051fb58f5042eb4352db6
MD5 hash:
2fc7cfcedbf7e038351c7ceb1036d2e1
SHA1 hash:
e826fdd69bdb47c8b13e4cd19cad5f2ab0580400
Link:
https://www.unpac.me/results/1ef5c4ea-c21f-4cf3-8be3-32638e214ff4/
SH256 hash:
6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62
MD5 hash:
b3c385e62840b4256e793f8f4ce39c58
SHA1 hash:
a70eae89919f9dc6f8ffbbb9e1815f4740fd32b0
Link:
https://www.unpac.me/results/1ef5c4ea-c21f-4cf3-8be3-32638e214ff4/
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6261725cc075/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26833/

Comments