MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8991952056c10fe7ada82e9a944b33e372066e81101fcdf8e9de56e3ab1fbfde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8991952056c10fe7ada82e9a944b33e372066e81101fcdf8e9de56e3ab1fbfde
SHA3-384 hash: 99b92c2066501fa00c356325c5dbfa20ce3d716862ea918bf3b83a3ebea9670ff80f2a74a00b4e42fb63708321159dfc
SHA1 hash: fedd02ce206de7fbbc859867f0d2aef0975459e8
MD5 hash: 6b227c37199254960b9ed172cabe3a8a
humanhash: spring-sad-october-grey
File name:PPr2.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'672'829 bytes
First seen:2025-06-07 15:22:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'472 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:vvK/A8d8Dp2oWUoKoABAmxA8eoty5KW6PVXAU:XK/A8d8D4oLoABAmuVmysddXAU
TLSH T14975014AE2453C6AD5308B39B0AB65B3B5E6EE50BCF58C8C205A730137FBDD1610EDA5
TrID 80.0% (.EXE) Inno Setup installer (107240/4/30)
10.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win32 Executable (generic) (4504/4/1)
1.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.5% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon f0f0dcdcaed8f8f4 (1 x AsyncRAT)
Reporter aachum
Tags:AsyncRAT donutloader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
441
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PPr2.exe
Verdict:
Malicious activity
Analysis date:
2025-06-07 15:22:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9686542c-5c38-4e56-9880-d32d307a67f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7914/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.OpenCandy7AF.8482.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68445a6c07b5e8c1cfe56933
Tags:
dropper extens virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Launching a process
Searching for the window
Creating a service
Launching a service
Creating a file in the Windows subdirectories
Creating a file in the system32 subdirectories
Connection attempt
Possible injection to a system process
Enabling autorun for a service
Setting a global event handler for the keyboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint installer overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/68445965fd02ed5e059d4923/reports/d46b6718-b6f6-4bac-8485-f981d3688278/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8991952056c10fe7ada82e9a944b33e372066e81101fcdf8e9de56e3ab1fbfde
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b9af4da3-1293-4cb3-9041-1911d75b1240
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1708962
Signature
.NET source code contains potential unpacker
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell launch regsvr32
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1708962 Sample: PPr2.exe Startdate: 07/06/2025 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 5 other signatures 2->85 11 PPr2.exe 2 2->11         started        14 rundll32.exe 2->14         started        16 svchost.exe 2->16         started        19 4 other processes 2->19 process3 file4 73 C:\Users\user\AppData\Local\Temp\...\PPr2.tmp, PE32 11->73 dropped 21 PPr2.tmp 3 6 11->21         started        24 rundll32.exe 6 14->24         started        28 powershell.exe 7 14->28         started        30 regsvr32.exe 14->30         started        77 Changes security center settings (notifications, updates, antivirus, firewall) 16->77 32 MpCmdRun.exe 16->32         started        signatures5 process6 dnsIp7 59 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 21->59 dropped 61 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->61 dropped 63 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 21->63 dropped 34 PPr2.exe 2 21->34         started        75 27.124.4.150, 10761 BCPL-SGBGPNETGlobalASNSG Singapore 24->75 87 System process connects to network (likely due to code injection or exploit) 24->87 37 conhost.exe 28->37         started        39 conhost.exe 32->39         started        file8 signatures9 process10 file11 57 C:\Users\user\AppData\Local\Temp\...\PPr2.tmp, PE32 34->57 dropped 41 PPr2.tmp 20 9 34->41         started        process12 file13 65 C:\Users\user\AppData\...\unins000.exe (copy), PE32 41->65 dropped 67 C:\Users\user\AppData\Local\is-I5GCF.tmp, PE32 41->67 dropped 69 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 41->69 dropped 71 4 other malicious files 41->71 dropped 44 powershell.exe 15 41->44         started        47 regsvr32.exe 41->47         started        process14 signatures15 89 Suspicious execution chain found 44->89 49 rundll32.exe 44->49         started        51 conhost.exe 44->51         started        53 regsvr32.exe 47->53         started        process16 process17 55 rundll32.exe 49->55         started       
Score:
29%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/8991952056c10fe7ada82e9a944b33e372066e81101fcdf8e9de56e3ab1fbfde
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8991952056c10fe7ada82e9a944b33e372066e81101fcdf8e9de56e3ab1fbfde/
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-04-23 08:39:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgizkicwyeh6plnif2njiszt4nzam3ubcap436hj3zlohky7x7pa._file
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader defense_evasion discovery execution loader
Link:
https://tria.ge/reports/250607-ssjwjsbq4s/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Hide Artifacts: Ignore Process Interrupts
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f1ac5ff6-d451-425b-8662-eea1a21f0730
Unpacked files
SH256 hash:
8991952056c10fe7ada82e9a944b33e372066e81101fcdf8e9de56e3ab1fbfde
MD5 hash:
6b227c37199254960b9ed172cabe3a8a
SHA1 hash:
fedd02ce206de7fbbc859867f0d2aef0975459e8
Link:
https://www.unpac.me/results/2d6e99ca-ba40-46b1-8fef-9d338a454fc3/
SH256 hash:
83a34ae09f8197ceffebb1506516895173e6cc7c6415b9c061589ae9a333f166
MD5 hash:
25e72da09fa0743de97ea99946df4194
SHA1 hash:
1f6405cbd0e1a34de6fd1e313e7deda67406c5b5
Link:
https://www.unpac.me/results/2d6e99ca-ba40-46b1-8fef-9d338a454fc3/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/2d6e99ca-ba40-46b1-8fef-9d338a454fc3/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/2d6e99ca-ba40-46b1-8fef-9d338a454fc3/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/2d6e99ca-ba40-46b1-8fef-9d338a454fc3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8991952056c10fe7ada82e9a944b33e372066e81101fcdf8e9de56e3ab1fbfde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:ScanStringsInsocks5systemz
Create hunting rule
Author:Byambaa@pubcert.mn
Description:Scans presence of the found strings using the in-house brute force method
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe d8a9d2f8408a851cdcad1e1bae571e640f9039da09505ce4ea846133fca91800

AsyncRAT

Executable exe 8991952056c10fe7ada82e9a944b33e372066e81101fcdf8e9de56e3ab1fbfde

(this sample)

  
Link
https://tria.ge/250607-spvtmsxp13/behavioral1
  
Dropped by
SHA256 d8a9d2f8408a851cdcad1e1bae571e640f9039da09505ce4ea846133fca91800
  
Delivery method
Distributed via web download
  
Dropped by
MD5 356c9e7eae1493000915a75df7146d82
Cape
Cape
https://www.capesandbox.com/analysis/7914/

Comments