MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a84ed26a47b1b660b927375d9d69a6c33fbc90901e5aafebc6b856ecef37cca8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a84ed26a47b1b660b927375d9d69a6c33fbc90901e5aafebc6b856ecef37cca8
SHA3-384 hash: 68dfd53fd3ff6cbe94a7e89b29df68fbebb9e818940cb6c221769bfd332316eb16734a0ff567dc400b5044544b87618b
SHA1 hash: 02ae2733a9056942944b8689bacf71dac3c1941e
MD5 hash: 3debc9d7fc1a38a0f30cbb662b5fbe6f
humanhash: low-ink-march-leopard
File name:653fcc.msi
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:163'840 bytes
First seen:2025-08-07 05:54:50 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:DEc9zXI/ve71W2vsVy6maBXRzKBeWGXrY2dRZUvMFMQiN9RNRwBfNkBM0vbC:DEizXInEW22rzpXrY2dRVURX2f8Q
TLSH T1E6F31ACBBA94DD97D905533845E68315133AFF908B864B132D24B6391F33BD0BF9628A
TrID 84.7% (.MSP) Windows Installer Patch (44509/10/5)
15.2% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19404/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68943ff31e8a59ee04e6e956
Tags:
dropper virus
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer lolbin obfuscated wix wscript
Link:
https://www.filescan.io/uploads/68943fec9ef4d2ff7cefbfe2/reports/480e6c32-6bd0-4c27-b79e-a59836eee7a3/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a84ed26a47b1b660b927375d9d69a6c33fbc90901e5aafebc6b856ecef37cca8
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a84ed26a47b1b660b927375d9d69a6c33fbc90901e5aafebc6b856ecef37cca8
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
KeyLogger, StormKitty, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751991
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious values (likely registry only malware)
Disables the Smart Screen filter
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected BrowserPasswordDump
Yara detected Keylogger Generic
Yara detected StormKitty Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751991 Sample: 653fcc.msi Startdate: 07/08/2025 Architecture: WINDOWS Score: 100 103 bc0c40.ddnsking.com 2->103 105 grupdev.bet 2->105 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Yara detected Keylogger Generic 2->115 117 16 other signatures 2->117 12 msiexec.exe 8 33 2->12         started        16 cmd.exe 1 2->16         started        18 cmd.exe 2->18         started        20 msiexec.exe 2 2->20         started        signatures3 process4 file5 101 C:\Windows\Installer\MSIC606.tmp, PE32+ 12->101 dropped 163 Drops executables to the windows directory (C:\Windows) and starts them 12->163 22 MSIC606.tmp 3 12->22         started        165 Wscript starts Powershell (via cmd or directly) 16->165 167 Uses schtasks.exe or at.exe to add and modify task schedules 16->167 26 powershell.exe 18 16->26         started        28 conhost.exe 16->28         started        30 powershell.exe 18->30         started        32 conhost.exe 18->32         started        signatures6 process7 file8 91 C:\Users\user\AppData\...\ms_C634.tmp.js, ASCII 22->91 dropped 143 Found API chain indicative of debugger detection 22->143 34 wscript.exe 3 2 22->34         started        93 C:\Users\user\AppData\...\l04n5dj1213.exe, PE32 26->93 dropped 145 Uses cmd line tools excessively to alter registry or file data 26->145 38 l04n5dj1213.exe 26->38         started        40 powershell.exe 26->40         started        42 attrib.exe 1 26->42         started        95 C:\Users\user\AppData\...\vjhvaamkgwo.exe, PE32 30->95 dropped 44 vjhvaamkgwo.exe 30->44         started        46 powershell.exe 30->46         started        48 attrib.exe 30->48         started        signatures9 process10 file11 87 C:\Users\user\AppData\Local\...\rad2DF25.ps1, Unicode 34->87 dropped 119 Suspicious powershell command line found 34->119 121 Wscript starts Powershell (via cmd or directly) 34->121 123 Creates autostart registry keys with suspicious values (likely registry only malware) 34->123 133 4 other signatures 34->133 50 powershell.exe 22 18 34->50         started        125 Antivirus detection for dropped file 38->125 127 Multi AV Scanner detection for dropped file 38->127 129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->129 131 Loading BitLocker PowerShell Module 40->131 55 conhost.exe 40->55         started        57 conhost.exe 46->57         started        signatures12 process13 dnsIp14 107 grupdev.bet 104.21.54.97, 443, 49687, 49691 CLOUDFLARENETUS United States 50->107 89 C:\Users\user\AppData\...\jjxrup32xwu.exe, PE32 50->89 dropped 135 Found many strings related to Crypto-Wallets (likely being stolen) 50->135 137 Uses cmd line tools excessively to alter registry or file data 50->137 139 Encrypted powershell cmdline option found 50->139 141 Powershell drops PE file 50->141 59 jjxrup32xwu.exe 8 50->59         started        63 powershell.exe 23 50->63         started        65 conhost.exe 50->65         started        67 attrib.exe 1 50->67         started        file15 signatures16 process17 file18 97 C:\Users\user\AppData\Roaming\Microsoft.exe, PE32 59->97 dropped 99 C:\Users\user\AppData\...\jjxrup32xwu.exe.log, CSV 59->99 dropped 147 Antivirus detection for dropped file 59->147 149 Multi AV Scanner detection for dropped file 59->149 151 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->151 153 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 59->153 69 cmd.exe 59->69         started        71 cmd.exe 59->71         started        155 Loading BitLocker PowerShell Module 63->155 73 conhost.exe 63->73         started        signatures19 process20 process21 75 Microsoft.exe 69->75         started        79 conhost.exe 69->79         started        81 timeout.exe 69->81         started        83 conhost.exe 71->83         started        85 schtasks.exe 71->85         started        dnsIp22 109 bc0c40.ddnsking.com 216.70.72.152, 4449, 49692, 49694 MEDIATEMPLEUS United States 75->109 157 Antivirus detection for dropped file 75->157 159 Multi AV Scanner detection for dropped file 75->159 161 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 75->161 signatures23
Score:
96%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/a84ed26a47b1b660b927375d9d69a6c33fbc90901e5aafebc6b856ecef37cca8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a84ed26a47b1b660b927375d9d69a6c33fbc90901e5aafebc6b856ecef37cca8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbhne2shwg3gbojhg5oz22ngym73zeeqdznk726gxbloz3zxzsua._file
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty defense_evasion execution persistence privilege_escalation ransomware rat stealer
Link:
https://tria.ge/reports/250807-gmw35sxvew/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Downloads MZ/PE file
Enumerates connected drives
Obfuscated Files or Information: Command Obfuscation
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Async RAT payload
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3cfcfe5e-db90-4ea9-ba7f-104b0bff1220
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a84ed26a47b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a84ed26a47b1b660b927375d9d69a6c33fbc90901e5aafebc6b856ecef37cca8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

Microsoft Software Installer (MSI) msi a84ed26a47b1b660b927375d9d69a6c33fbc90901e5aafebc6b856ecef37cca8

(this sample)

AsyncRAT

Executable exe c54bd7c3ec3b9183ac28dec038c43463b770ac78557aca0abd10e9620990108a

Cape
Cape
https://www.capesandbox.com/analysis/19404/
  
Dropping
SHA256 c54bd7c3ec3b9183ac28dec038c43463b770ac78557aca0abd10e9620990108a
  
Dropping
MD5 f885ff5c50df983554fea57ed9e7b7a5

Comments