MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63a03d1998b2024f980c66873113d4cbd74262cfb1b4c0768246e38928db4b64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 21


Intelligence 21 IOCs 1 YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63a03d1998b2024f980c66873113d4cbd74262cfb1b4c0768246e38928db4b64
SHA3-384 hash: e0e67e288089832f2502da7ad2d4f7c22626e9902f16b21253d6cfa5a59f92112e4ba3ca6acbf03ec28817b4d14fc1df
SHA1 hash: 11b7c7ad7b6e3d34b2cbae3a856633914f6375a9
MD5 hash: 0ab6f3b92b95300017ece242835e7c30
humanhash: magnesium-fix-minnesota-king
File name:PGYaOmZ1r7DbUL6.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:601'088 bytes
First seen:2025-07-29 03:10:08 UTC
Last seen:2025-07-31 11:35:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:IU90Rk1Fh945I6EYnco4KRS70Dd3/B/GKcwUzKhT:IU4w/45IHYct70DdJ/JCz
TLSH T1BDD4F12432E6CC03C99D437C5AB3E0740379DE5A6603C35E6FE56DBF7A697921A120E2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
196.251.88.252:19803

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.88.252:19803 https://threatfox.abuse.ch/ioc/1561840/

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
_63a03d1998b2024f980c66873113d4cbd74262cfb1b4c0768246e38928db4b64.exe
Verdict:
Malicious activity
Analysis date:
2025-07-29 03:11:26 UTC
Tags:
auto-sch-xml auto-reg asyncrat
Link:
https://app.any.run/tasks/6425cd83-f15a-4e09-b731-e40a48ee7aba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17468/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68883bac0b4775fb2132c185
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Running batch commands
Creating a process from a recently created file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
asyncrat base64 bitmap config-extracted exploit lolbin msbuild njrat njrat obfuscated packed packed rat reconnaissance reg regsvcs rezer0 roboski schtasks stego vbc
Link:
https://www.filescan.io/uploads/68883bacc79df08ef0974bfd/reports/e4e3f1f6-a0e3-447b-9417-b98f7ed62734/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/63a03d1998b2024f980c66873113d4cbd74262cfb1b4c0768246e38928db4b64
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b5b9e24-0529-48ba-9350-317f51ab714a
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1746045
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1746045 Sample: PGYaOmZ1r7DbUL6.exe Startdate: 29/07/2025 Architecture: WINDOWS Score: 100 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 11 other signatures 2->87 8 PGYaOmZ1r7DbUL6.exe 7 2->8         started        12 Michikoc.exe 2->12         started        14 mLufpmCp.exe 5 2->14         started        16 2 other processes 2->16 process3 file4 69 C:\Users\user\AppData\Roaming\mLufpmCp.exe, PE32 8->69 dropped 71 C:\Users\...\mLufpmCp.exe:Zone.Identifier, ASCII 8->71 dropped 73 C:\Users\user\AppData\Local\...\tmpEB6F.tmp, XML 8->73 dropped 75 C:\Users\user\...\PGYaOmZ1r7DbUL6.exe.log, ASCII 8->75 dropped 91 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->91 93 Uses schtasks.exe or at.exe to add and modify task schedules 8->93 95 Adds a directory exclusion to Windows Defender 8->95 18 PGYaOmZ1r7DbUL6.exe 6 8->18         started        21 powershell.exe 23 8->21         started        24 schtasks.exe 1 8->24         started        97 Multi AV Scanner detection for dropped file 12->97 99 Injects a PE file into a foreign processes 12->99 26 powershell.exe 12->26         started        35 2 other processes 12->35 28 mLufpmCp.exe 1 2 14->28         started        31 schtasks.exe 1 14->31         started        33 mLufpmCp.exe 14->33         started        37 4 other processes 16->37 signatures5 process6 dnsIp7 67 C:\Users\user\AppData\Roaming\Michikoc.exe, PE32 18->67 dropped 39 cmd.exe 18->39         started        41 cmd.exe 18->41         started        89 Loading BitLocker PowerShell Module 21->89 43 conhost.exe 21->43         started        45 conhost.exe 24->45         started        47 conhost.exe 26->47         started        77 196.251.88.252, 19803, 49702 Web4AfricaZA Seychelles 28->77 79 127.0.0.1 unknown unknown 28->79 49 conhost.exe 31->49         started        51 conhost.exe 35->51         started        53 conhost.exe 37->53         started        55 conhost.exe 37->55         started        file8 signatures9 process10 process11 57 conhost.exe 39->57         started        59 timeout.exe 39->59         started        61 Michikoc.exe 39->61         started        63 conhost.exe 41->63         started        65 schtasks.exe 41->65         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/63a03d1998b2024f980c66873113d4cbd74262cfb1b4c0768246e38928db4b64
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.24 Win 32 Exe x86
Link:
https://app.malva.re/file/0ab6f3b92b95300017ece242835e7c30
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63a03d1998b2024f980c66873113d4cbd74262cfb1b4c0768246e38928db4b64/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Infostealer.Heuristic
Link:
https://tip.neiki.dev/file/63a03d1998b2024f980c66873113d4cbd74262cfb1b4c0768246e38928db4b64
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-07-29 03:10:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=moqd2gmywibe7gamm2dtce6uzplueywpwg2ma5uci3ryskg3jnsa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default defense_evasion discovery execution persistence rat spyware stealer
Link:
https://tria.ge/reports/250729-dpa2xabn8x/
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
127.0.0.1:19803
196.251.88.252:19803
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/db648014-ff7d-4e64-989c-247f568b9e4d
Unpacked files
SH256 hash:
63a03d1998b2024f980c66873113d4cbd74262cfb1b4c0768246e38928db4b64
MD5 hash:
0ab6f3b92b95300017ece242835e7c30
SHA1 hash:
11b7c7ad7b6e3d34b2cbae3a856633914f6375a9
Link:
https://www.unpac.me/results/29f6a2e9-a190-4fe3-9f3c-8b8aa1820cd1/
SH256 hash:
4f8b2f865b38d77f68bf3a370f0a494852e36879c21c016f7e17b6342698be3c
MD5 hash:
de03415b1f4158a9ae65795420a73b7e
SHA1 hash:
c741dc0c113e30b0ab6dbc53c729d313dd8fa83d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/29f6a2e9-a190-4fe3-9f3c-8b8aa1820cd1/
SH256 hash:
8d26523d1f9666dfba6e35320172df143d157a4b3f69d56fc383171257ad2c80
MD5 hash:
ab0419ed360d445a6ac977fef081c91c
SHA1 hash:
e4f7a8c0bf7dedcabfacebf5a59dec7817dd45a2
Link:
https://www.unpac.me/results/29f6a2e9-a190-4fe3-9f3c-8b8aa1820cd1/
SH256 hash:
f68d8d8881493aef1641ea5dd67584be6f33a871fa81019c420d442a2f7ab41d
MD5 hash:
c26466e32db0ba9330ed1aa9f0008d87
SHA1 hash:
f0d17f5320289675d06b6306b371327aeae5fd9d
Detections:
win_asyncrat_w0
Create hunting rule
AsyncRAT
Create hunting rule
asyncrat
Create hunting rule
win_asyncrat_bytecodes
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Link:
https://www.unpac.me/results/29f6a2e9-a190-4fe3-9f3c-8b8aa1820cd1/
Parent samples :
63a03d1998b2024f980c66873113d4cbd74262cfb1b4c0768246e38928db4b64
ecc76e448179411f5da32df012b94265f90dcb76366dff2a728a34405a0a2ba6
ba656c76c7366c1aab95e735327f076b9cef77c442c2598fe2182c5eeb61eb36
cd91908e6f1f320c216738d3357f949741d35b2c2b23fa84fbe482d4be842cb1
47f70c5d74fb0c00ee39f86290744df6403b87e94ecfd613202b5ed5988c8970
0c45dbdaf171ab11f54426e63e1a7e8b2b7533c8df13382745cb674368ccea43
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/63a03d1998b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63a03d1998b2024f980c66873113d4cbd74262cfb1b4c0768246e38928db4b64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:AsyncRAT_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked AsyncRAT malware samples.
Rule name:asyncrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:Mal_WIN_AsyncRat_RAT_PE
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect AsyncRAT implant.
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_Asyncrat_11a11ba1
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_bytecodes
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17468/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments