MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa4b643b0cf8f91532272dc7a1c2426f0da0aceeaa653831ad0daf55df2e6eef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa4b643b0cf8f91532272dc7a1c2426f0da0aceeaa653831ad0daf55df2e6eef
SHA3-384 hash: 8cda6bb2fe7a8da3a0e9c96e721b9369e713faef16b7d7ba1cc05d2afb6646f758bffe617f58c27f15e65dc08707f44c
SHA1 hash: 661a9533ec7300f2012f2ee3c6506dff0a7952bf
MD5 hash: 556c49b40ec4764b781d6d6eb9f97edd
humanhash: oranges-pluto-cold-colorado
File name:64thServices v24.lnk.bin
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'660 bytes
First seen:2026-03-01 10:52:04 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8VZJI5UmtJ1TAY8PA+/2PyJi5iFfa4A+U/FIP4I0aA3yUUXQaR3+9h/LnU+Y+/vm:8C+1vJi51NxfIPzXv3WzU+Yk
TLSH T1F931C0552FDA0329D3B2C63B54B5E3824A33B950E9738F5C4280D28C2C65600E836F2B
Magika lnk
Reporter burger
Tags:AsyncRAT lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/6647dfad-2891-42fe-a2f3-73acc5da20e6/
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26477.PshHeur.UNOFFICIAL
Create hunting rule

Lnk.Downloader.HTAAgent-9989400-0
Create hunting rule

Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a41a0b8fffa866e3b3ae97
Tags:
n/a
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/aa4b643b0cf8f91532272dc7a1c2426f0da0aceeaa653831ad0daf55df2e6eef/results/dashboard
Payload URLs
URL
File name
https://wpgbf1zg-5500.euw.devtunnels.ms/64/loader.exe
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd evasive lolbin masquerade
Link:
https://www.filescan.io/uploads/69a41a5c9eaae8465940f698/reports/7f8ac0e9-e2d6-419d-856f-d7208944fbb2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/aa4b643b0cf8f91532272dc7a1c2426f0da0aceeaa653831ad0daf55df2e6eef
Result
Gathering data
Verdict:
Malicious
File Type:
lnk
Detections:
Trojan-Downloader.Win32.Agent.sba Trojan.WinLNK.Agent.sb HEUR:Trojan.WinLNK.Agent.gen
Link:
https://opentip.kaspersky.com/aa4b643b0cf8f91532272dc7a1c2426f0da0aceeaa653831ad0daf55df2e6eef/results?tab=lookup
Result
Threat name:
AsyncRAT, Dacic, DcRat, MalLnk
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876453
Signature
Adds a directory exclusion to Windows Defender
AI detected malicious page (phishing or scam)
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sample uses string decryption to hide its real strings
Sigma detected: Curl Download And Execute Combination
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Dacic
Yara detected DcRat
Yara detected malicious lnk
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876453 Sample: 64thServices v24.lnk.bin.lnk Startdate: 01/03/2026 Architecture: WINDOWS Score: 100 85 wpgbf1zg-5500.euw.devtunnels.ms 2->85 87 v3-euw.cluster.rel.tunnels.api.visualstudio.com 2->87 89 3 other IPs or domains 2->89 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for URL or domain 2->107 109 20 other signatures 2->109 12 cmd.exe 1 2->12         started        15 WMIRegistrationServices.exe 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 signatures5 131 Windows shortcut file (LNK) starts blacklisted processes 12->131 133 Uses schtasks.exe or at.exe to add and modify task schedules 12->133 135 Potential Privilege Escalation using Task Scheduler highest RunLevel 12->135 19 cmd.exe 1 12->19         started        21 curl.exe 2 12->21         started        25 conhost.exe 1 12->25         started        137 Antivirus detection for dropped file 15->137 139 Multi AV Scanner detection for dropped file 15->139 141 Queries memory information (via WMI often done to detect virtual machines) 15->141 process6 dnsIp7 27 loader.exe 15 19->27         started        31 conhost.exe 19->31         started        97 tunnels-prod-rel-euw-v3-cluster.westeurope.cloudapp.azure.com 20.103.221.187, 443, 49694, 49695 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->97 99 127.0.0.1 unknown unknown 21->99 73 C:\Users\user\AppData\Local\Temp\loader.exe, PE32+ 21->73 dropped file8 process9 file10 79 C:\Windows\System32\ceoleenx.exe, PE32+ 27->79 dropped 143 Windows shortcut file (LNK) starts blacklisted processes 27->143 145 Multi AV Scanner detection for dropped file 27->145 147 Suspicious powershell command line found 27->147 149 2 other signatures 27->149 33 ceoleenx.exe 14 9 27->33         started        38 powershell.exe 23 27->38         started        40 chrome.exe 2 27->40         started        signatures11 process12 dnsIp13 81 prod.keyauth.com 104.21.60.97, 443, 49737 CLOUDFLARENETUS United States 33->81 69 C:\Users\user\...\RuntimeBroker.exe (copy), PE32 33->69 dropped 71 C:\Users\user\AppData\Local\Temp\1.pdb, PE32 33->71 dropped 111 Multi AV Scanner detection for dropped file 33->111 113 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->113 115 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 33->115 119 2 other signatures 33->119 42 RuntimeBroker.exe 33->42         started        117 Loading BitLocker PowerShell Module 38->117 46 WmiPrvSE.exe 38->46         started        48 conhost.exe 38->48         started        83 192.168.2.8, 138, 443, 49302 unknown unknown 40->83 50 chrome.exe 40->50         started        file14 signatures15 process16 dnsIp17 75 C:\Users\user\...\WMIRegistrationServices.exe, PE32 42->75 dropped 77 C:\Users\user\...\RuntimeBroker.exe.log, CSV 42->77 dropped 123 Windows shortcut file (LNK) starts blacklisted processes 42->123 125 Protects its processes via BreakOnTermination flag 42->125 127 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->127 129 Queries memory information (via WMI often done to detect virtual machines) 42->129 53 cmd.exe 42->53         started        55 cmd.exe 42->55         started        91 www.google.com 142.251.40.228, 443, 49721 GOOGLEUS United States 50->91 93 a.nel.cloudflare.com 35.190.80.1, 443, 49708, 49709 GOOGLEUS United States 50->93 95 4 other IPs or domains 50->95 file18 signatures19 process20 process21 57 WMIRegistrationServices.exe 53->57         started        61 conhost.exe 53->61         started        63 timeout.exe 53->63         started        65 conhost.exe 55->65         started        67 schtasks.exe 55->67         started        dnsIp22 101 157.97.11.134, 8080 NOVAIS-ASIS Iceland 57->101 121 Protects its processes via BreakOnTermination flag 57->121 signatures23
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa4b643b0cf8f91532272dc7a1c2426f0da0aceeaa653831ad0daf55df2e6eef/
Verdict:
Malicious
Threat:
Trojan.WinLNK.Agent
Link:
https://tip.neiki.dev/file/aa4b643b0cf8f91532272dc7a1c2426f0da0aceeaa653831ad0daf55df2e6eef
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-21 04:16:46 UTC
File Type:
Binary
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjfwioym7d4rkmrhfxd2dqscn4g2blhovjstqmnnbwxvlxzon3xq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/260301-myfhesdv6f/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Looks for VMWare Tools registry key
Looks for VMWare services registry key.
Enumerates VirtualBox registry keys
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

zip 4d5bd2d8e6125cae5bf017a0bd0375291975ceb4c0d55e87994a27ed72eb62a1

AsyncRAT

Shortcut (lnk) lnk aa4b643b0cf8f91532272dc7a1c2426f0da0aceeaa653831ad0daf55df2e6eef

(this sample)

AsyncRAT

Executable exe e317bbfc8dd60ed01c0d2eb675d513b3ddde788c8a63a3e8444dd03b85eb31c6

AsyncRAT

Executable exe e291078023f902c380b0e6cef294dd05d36d21e00ecf4756f7a038500b9cb28a

  
Dropping
SHA256 e291078023f902c380b0e6cef294dd05d36d21e00ecf4756f7a038500b9cb28a
  
Dropped by
SHA256 4d5bd2d8e6125cae5bf017a0bd0375291975ceb4c0d55e87994a27ed72eb62a1
  
Dropped by
MD5 00799ea198766197d5f645c90b368bb9
  
Dropping
MD5 81c5a103cca60f434248f4e85a1f0145
  
URLhaus
https://urlhaus.abuse.ch/url/3788055/
  
Delivery method
Distributed via web download

Comments