MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dcda3dacb5b770b878534c989884baa5943dff4eef2a37e71b5d93ffe3661ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dcda3dacb5b770b878534c989884baa5943dff4eef2a37e71b5d93ffe3661ae
SHA3-384 hash: 47e6408a4c30c701b691a3d5d632f9827b92ae51381425857be225833b1cafee011cebaf5a1a040c3cad040802134ee0
SHA1 hash: 48ad61dc26a5d0dda2568d8fa07e148a2d524fc1
MD5 hash: c88b2a46d6e66a39c71e863569e68327
humanhash: stream-carbon-virginia-charlie
File name:LavernBatch.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:8'518 bytes
First seen:2025-09-07 11:18:46 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 96:lPfLl8oBs5B1b/c6LGlpj9ipzSUcgdzNOI7GY3KDnyYj8/JVgw4mvGwdBLkE8oKa:lPPJ6y9rKdzNeryYcOmOskE8bEjE3Gp
Threatray 1'279 similar samples on MalwareBazaar
TLSH T162025D43946D462FF6E6227564E10DD0839CC64842FFDFA8C4E4DD31668FB1121EE788
Magika batch
Reporter smica83
Tags:AsyncRAT bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LavernBatch.bat
Verdict:
No threats detected
Analysis date:
2025-09-07 11:19:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a61e457-9559-4080-ab49-590aadf566e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26095/
Detection(s):
SecuriteInfo.com.BAT.Obfus-4.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bd6a44dae297b6c16469ce
Tags:
autorun dropper shell sage
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68bd6a3b20d0ee406d98d740/reports/7e88bb39-f2d8-4866-8eae-9d9421f61318/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8dcda3dacb5b770b878534c989884baa5943dff4eef2a37e71b5d93ffe3661ae
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-09-07T08:37:00Z UTC
Last seen:
2025-09-07T08:37:00Z UTC
Hits:
~100
Detections:
Trojan.Agentb.TCP.C&C PDM:Trojan.Win32.Generic Trojan.MSIL.DInvoke.sb HEUR:Trojan-Spy.MSIL.Keylogger.gen HEUR:Trojan.MSIL.Agent.gen HEUR:Backdoor.MSIL.SheetRat.gen Backdoor.MSIL.Crysan.sb Backdoor.MSIL.Darkrat.sb HEUR:Trojan-PSW.MSIL.Agent.gen Backdoor.MSIL.VenomRAT.a HackTool.Binder.TCP.ServerRequest HEUR:Trojan.BAT.Alien.gen NetTool.PowerShellGet.HTTP.C&C NetTool.PowerShellUA.HTTP.C&C
Link:
https://opentip.kaspersky.com/8dcda3dacb5b770b878534c989884baa5943dff4eef2a37e71b5d93ffe3661ae/results?tab=lookup
Result
Threat name:
Dacic, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772590
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Disables Windows Defender (via service or powershell)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Schedule system process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Dacic
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1772590 Sample: LavernBatch.bat Startdate: 07/09/2025 Architecture: WINDOWS Score: 100 30 lavern123.duckdns.org 2->30 32 raw.githubusercontent.com 2->32 34 2 other IPs or domains 2->34 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Yara detected Dacic 2->48 52 17 other signatures 2->52 8 cmd.exe 1 2->8         started        11 powershell.exe 5 2->11         started        signatures3 50 Uses dynamic DNS services 30->50 process4 signatures5 54 Suspicious powershell command line found 8->54 56 Bypasses PowerShell execution policy 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 2 other signatures 8->60 13 Client.exe 14 4 8->13         started        17 powershell.exe 23 8->17         started        19 powershell.exe 14 16 8->19         started        24 12 other processes 8->24 22 conhost.exe 11->22         started        process6 dnsIp7 36 lavern123.duckdns.org 88.235.98.224, 49723, 49724, 49726 TTNETTR Turkey 13->36 38 dpaste.org 104.20.36.119, 443, 49722, 49725 CLOUDFLARENETUS United States 13->38 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Loading BitLocker PowerShell Module 17->66 68 Powershell drops PE file 17->68 26 WmiPrvSE.exe 17->26         started        40 github.com 140.82.113.4, 443, 49720 GITHUBUS United States 19->40 42 raw.githubusercontent.com 185.199.110.133, 443, 49721 FASTLYUS Netherlands 19->42 28 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 19->28 dropped 70 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->70 file8 signatures9 process10
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8dcda3dacb5b770b878534c989884baa5943dff4eef2a37e71b5d93ffe3661ae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8dcda3dacb5b770b878534c989884baa5943dff4eef2a37e71b5d93ffe3661ae/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/8dcda3dacb5b770b878534c989884baa5943dff4eef2a37e71b5d93ffe3661ae
Threat name:
Script-BAT.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-07 11:19:28 UTC
File Type:
Text
AV detection:
5 of 38 (13.16%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rxg2hwwlln3qxb4fgteytcclvjmuhx7u53zkg7trwxmt77rwmgxa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
51042b77cd0432083c33d32d17332f8bb196c48e8f1d075174e3ab7a8fbf9c7d
AsyncRAT
6a24ba25482c73d193fcc208d8ae267236b870b9ab30c44cabe2dc8bfb7a1073
AsyncRAT
9e8c53c359ba5b038d232d80163ff1e00081fa12695b757a2affcfec37aa11c6
AsyncRAT
ee6844c262a1f73501e51fa9df9c6c993bf442c3d4b78686e3ace38b18789210
AsyncRAT
error
AsyncRAT
+ 1'269 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default defense_evasion execution persistence rat
Link:
https://tria.ge/reports/250907-ne23rahj5s/
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8dcda3dacb5b770b878534c989884baa5943dff4eef2a37e71b5d93ffe3661ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26095/

Comments