MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f0d84c1adec55c55b5712999b009e04869fffc5a365b02e7095eadad86eee14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	9f0d84c1adec55c55b5712999b009e04869fffc5a365b02e7095eadad86eee14
SHA3-384 hash:	f91c8dd14be3d6deb25f3786600721455b33455224b2756a4ee2d606411e80834e0701f7ded6c93824e59736a83f92cb
SHA1 hash:	b01699cbae30d0d54ff59e83304025412211cd1c
MD5 hash:	2ecf6ed5fe46becdae4fcdb3ed3ec0ad
humanhash:	apart-massachusetts-lithium-network
File name:	0.ps1
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	103'768 bytes
First seen:	2025-05-27 06:52:11 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	1536:q6sFspTzjN11zo+/tpbCRDrDDhNSzB1cKnyw9NwQgKC9aDRzXZ:q6sFs1511zvnCRjTSYKyw9Nwx2X
TLSH	T17DA31AFA1203BE9F462B0D55E40C1240ACDD9CA7F3E8C1A8FF4559E65AD84189DB4EB8
Magika	unknown
Reporter	JAMESWT_WT
Tags:	ps1 webmail-aruba-it--ajaxfile

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Packed2.43192.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683562d5668438e362e7573c

Tags:

trojan virus

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/9f0d84c1adec55c55b5712999b009e04869fffc5a365b02e7095eadad86eee14

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1699605

Signature

AI detected malicious Powershell script

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9f0d84c1adec55c55b5712999b009e04869fffc5a365b02e7095eadad86eee14

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f0d84c1adec55c55b5712999b009e04869fffc5a365b02e7095eadad86eee14/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-05-15 20:19:29 UTC

File Type:

Text

AV detection:

7 of 37 (18.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t4gyjqnn5rk4kw2xckmzwae6asdj776funs3altqsxvnvwdo5yka._file

Result

Malware family:

n/a

Score:

3/10

Tags:

execution

Link:

https://tria.ge/reports/250527-hm8bva1j16/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Command and Scripting Interpreter: PowerShell

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9f0d84c1adec55c55b5712999b009e04869fffc5a365b02e7095eadad86eee14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_Reversed_Base64_Encoded_EXE_RID3291 Create hunting rule
Author:	Florian Roth
Description:	Detects an base64 encoded executable with reversed characters
Reference:	Internal Research