MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ac170196ffb99ebfb700476269c8303c36fe3e81f55608403ae6bd4538d89d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ac170196ffb99ebfb700476269c8303c36fe3e81f55608403ae6bd4538d89d6
SHA3-384 hash: 1ee5dd3acae0d6e1c24559f479344abdff511db8615616178ab03f457c0bd1905d90ef8b18875e4308d7f3225e4fe4ff
SHA1 hash: 0dbd2497ae33a795679945874797f0cd59df924c
MD5 hash: 2d6d6b7487256f64188084ff91201932
humanhash: shade-seventeen-arkansas-moon
File name:fputty.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:931'840 bytes
First seen:2025-11-19 16:11:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d45e1c2c77fb8ef0eeb6be3078fd07c (1 x AsyncRAT)
ssdeep 6144:2zWUsyutDGF1sgdgpIU5cjUhCWSVr6jQ48+jzWUsyutDGP1sgdgpIUyibHQDzVI7:2yUstAhi5SVrX48gyUstuheHQFItMbr
Threatray 1'654 similar samples on MalwareBazaar
TLSH T128154A56B3F510EAE8B78639C9625651EB72B8301770D7DF039042791E23BE19E3EB21
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter x86
Tags:AsyncRAT exe


Avatar
x86rax
Opendir @199.247.2[.]137 -> https://github.com/Donrulezz/test

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://199.247.2.137/fputty.exe
Verdict:
Malicious activity
Analysis date:
2025-11-19 15:57:03 UTC
Tags:
github xor-url generic stealer
Link:
https://app.any.run/tasks/f8e45833-12b5-44d5-9e2e-3293a4811e5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38685/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691dec7027c5936d7d0dca7f
Tags:
shellcode dropper trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Moving a recently created file
Launching a process
Creating a process with a hidden window
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Connecting to a non-recommended domain
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm explorer lolbin microsoft_visual_cc wscript
Link:
https://www.filescan.io/uploads/691dec6b5d488801e231f1af/reports/06f91232-1a2c-4b78-ba30-3b699082837e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8ac170196ffb99ebfb700476269c8303c36fe3e81f55608403ae6bd4538d89d6
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-19T14:25:00Z UTC
Last seen:
2025-11-20T16:09:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Shellcode.sb PDM:Trojan.Win32.Generic Backdoor.MSIL.Crysan.lwg Backdoor.MSIL.Crysan.c Backdoor.MSIL.Crysan.b UDS:DangerousObject.Multi.Generic Trojan.Win32.Inject.sb Backdoor.MSIL.Agent.sb Trojan.Win64.Agentb.sb Trojan.MSIL.Donut.sb HEUR:Trojan.MSIL.Cryptos.gen HEUR:Backdoor.MSIL.SheetRat.gen HEUR:Backdoor.MSIL.Crysan.gen Backdoor.MSIL.Crysan.sb Backdoor.MSIL.Crysan.d Trojan.Shellcode.TCP.C&C Backdoor.MSIL.Crysan.lwh
Link:
https://opentip.kaspersky.com/8ac170196ffb99ebfb700476269c8303c36fe3e81f55608403ae6bd4538d89d6/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7dc503f2-fd4d-4c38-a51d-52c8e33d22a5
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8ac170196ffb99ebfb700476269c8303c36fe3e81f55608403ae6bd4538d89d6
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/2d6d6b7487256f64188084ff91201932
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ac170196ffb99ebfb700476269c8303c36fe3e81f55608403ae6bd4538d89d6/
Verdict:
Malicious
Threat:
Family.ZGRAT
Link:
https://tip.neiki.dev/file/8ac170196ffb99ebfb700476269c8303c36fe3e81f55608403ae6bd4538d89d6
Threat name:
Win64.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-19 16:12:29 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
10 of 36 (27.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rlaxaglp7om6x63qar3cnhedapbw7y7id5kwbbadvzv5iu4nrhla._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
donutloader
Create hunting rule
unc_loader_078
Create hunting rule
Similar samples:
2e199cb594c3aede58350bd2fefa695307196f96129dfcf0974a3560c767762a
AsyncRAT
5e7f879e41daf4d06a1a3c9fc0dae67033d49de8a7fe73074b43af7f46a622ba
AsyncRAT
73fbb0ff8f68a724d25d2b5aaf538328765354a0b91298ce8e292649c3642cdf
AsyncRAT
8a6ac42273774f12b5e5f3bba953365cb44ca63a0dd888e301a295f34fff69fd
AsyncRAT
8ac170196ffb99ebfb700476269c8303c36fe3e81f55608403ae6bd4538d89d6
AsyncRAT
94d3ea79f8c5ca711431010276ec84db1eab20e8d33f2c2293e8f3347d378adf
AsyncRAT
b312ad755ed2937661ef26ac8490eeb0c5b27b296faa5b325a5af424865f3bab
AsyncRAT
c56eada17d6c1dc11aef7339b2976be7fd74fbc531d1ffe360ee144316681f72
AsyncRAT
d17fbdccb55a602246b26034b6ce9d64ae1c3b5ad48fd93a732d2fb1dd8de6df
AsyncRAT
e17f553220905c179fb636a60e8cac9b29f2fb67d41cf86d8cef8a7c24e5d936
AsyncRAT
error
AsyncRAT
+ 1'644 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:donutloader botnet:6-nov adware discovery loader rat spyware
Link:
https://tria.ge/reports/251119-tnqc7swqdj/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Async RAT payload
AsyncRat
Asyncrat family
Detects DonutLoader
DonutLoader
Donutloader family
Malware Config
C2 Extraction:
94.154.35.111:21001
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7ba78e4c-e976-4e8b-ab93-389709f759db
Unpacked files
SH256 hash:
8ac170196ffb99ebfb700476269c8303c36fe3e81f55608403ae6bd4538d89d6
MD5 hash:
2d6d6b7487256f64188084ff91201932
SHA1 hash:
0dbd2497ae33a795679945874797f0cd59df924c
Link:
https://www.unpac.me/results/4ea2df7a-1f7b-40df-bf1c-14f81c675a76/
SH256 hash:
47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428
MD5 hash:
ced47b89212f3260ebeb41682a4b95ec
SHA1 hash:
148c0cde4f2ef807aea77d7368f00f4c519f47ef
Link:
https://www.unpac.me/results/4ea2df7a-1f7b-40df-bf1c-14f81c675a76/
SH256 hash:
86c2f15515f1151f9678fdc55cb95fdc25ba7741a930b779292e4977ce208f6f
MD5 hash:
148bb3a0d443593f0fc13ed45a395d21
SHA1 hash:
b856c82966376d897d30ee39b3f074a0250fa6b7
Link:
https://www.unpac.me/results/4ea2df7a-1f7b-40df-bf1c-14f81c675a76/
SH256 hash:
1a23141818f907f087f02f0569cab4029505e23f38ab363088d4ac6058c881c9
MD5 hash:
b5c7b1aa68e29ad49e4873f95f255cd8
SHA1 hash:
ae3b992c5221c510879944d40f1aebbd9c5eaa81
Link:
https://www.unpac.me/results/4ea2df7a-1f7b-40df-bf1c-14f81c675a76/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8ac170196ffb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ac170196ffb99ebfb700476269c8303c36fe3e81f55608403ae6bd4538d89d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/f8e45833-12b5-44d5-9e2e-3293a4811e5e
  
Dropping
Asyncrat
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/38685/

Comments