MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afb836456231f7b679809cdf7a3a9994732027f07b97340dfa0d4c8260736979. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afb836456231f7b679809cdf7a3a9994732027f07b97340dfa0d4c8260736979
SHA3-384 hash: 564211c96a0fade66ed65faeb03b21824d913056f839a818c4bc86e6295e7911e8c3232cf8f12bf6d7e15eaac99261d4
SHA1 hash: 609bf746638be7119800b6c91cfcad0a9bb146c3
MD5 hash: 08f4ae1a272d152b9cbcddce02dd1f9d
humanhash: lamp-winter-fruit-edward
File name:LOADER.js
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:760'439 bytes
First seen:2025-07-21 12:52:03 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:IHwTUIUbEf8qcS8LRWWU/4ZIO+vQExnUBZP/DJCAhqW24FP0QXKr6p0XDePoeuHh:Iqd858twcjP6+
Threatray 2'217 similar samples on MalwareBazaar
TLSH T11AF4DE8DF7493C6B926CDF1E155BF93A3426D5DE8C95D6A28108FBB43CF70066A34842
Magika javascript
Reporter smica83
Tags:AsyncRAT FIN js

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687e380584b37dd61ef03889
Tags:
shell virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/687e38108a7d628a81b9ffc4/reports/5ee430b8-6ffc-4b55-9f04-146d69b53ba4/overview
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.MalBehav.gen
Link:
https://www.hybrid-analysis.com/sample/afb836456231f7b679809cdf7a3a9994732027f07b97340dfa0d4c8260736979
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1741231
Signature
Allocates memory in foreign processes
Command shell drops VBS files
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Renames powershell.exe to bypass HIPS
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1741231 Sample: LOADER.js Startdate: 21/07/2025 Architecture: WINDOWS Score: 100 127 zereoo.duckdns.org 2->127 147 Suricata IDS alerts for network traffic 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 Multi AV Scanner detection for submitted file 2->151 155 11 other signatures 2->155 13 wscript.exe 1 2 2->13         started        17 wscript.exe 2->17         started        19 wscript.exe 2->19         started        21 wscript.exe 2->21         started        signatures3 153 Uses dynamic DNS services 127->153 process4 file5 125 C:\Users\user\AppData\Local\Temp\ijC.bat, DOS 13->125 dropped 181 JScript performs obfuscated calls to suspicious functions 13->181 183 Wscript starts Powershell (via cmd or directly) 13->183 185 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->185 187 Suspicious execution chain found 13->187 23 cmd.exe 1 13->23         started        26 cmd.exe 17->26         started        28 cmd.exe 19->28         started        30 cmd.exe 21->30         started        signatures6 process7 signatures8 157 Suspicious powershell command line found 23->157 159 Wscript starts Powershell (via cmd or directly) 23->159 161 Obfuscated command line found 23->161 163 3 other signatures 23->163 32 powershell.exe 12 23->32         started        35 conhost.exe 23->35         started        37 powershell.exe 26->37         started        39 conhost.exe 26->39         started        41 powershell.exe 28->41         started        43 conhost.exe 28->43         started        45 powershell.exe 30->45         started        47 conhost.exe 30->47         started        process9 signatures10 133 Uses schtasks.exe or at.exe to add and modify task schedules 32->133 135 Found suspicious powershell code related to unpacking or dynamic code loading 32->135 49 cmd.exe 5 32->49         started        53 cmd.exe 37->53         started        55 cmd.exe 41->55         started        57 cmd.exe 45->57         started        process11 file12 109 C:\ProgramData\IntelDriver\cmd.exe, PE32+ 49->109 dropped 111 C:\ProgramData\IntelDriver\windows.cmd, DOS 49->111 dropped 113 C:\...\user-PC_windows64x_APZOacoasfjc.vbs, ASCII 49->113 dropped 137 Obfuscated command line found 49->137 139 Command shell drops VBS files 49->139 141 Uses cmd line tools excessively to alter registry or file data 49->141 143 Renames powershell.exe to bypass HIPS 49->143 59 cmd.exe 49->59         started        63 cmd.exe 13 49->63         started        65 cmd.exe 49->65         started        73 3 other processes 49->73 145 Suspicious command line found 53->145 67 cmd.exe 53->67         started        75 5 other processes 53->75 69 cmd.exe 55->69         started        77 5 other processes 55->77 71 conhost.exe 57->71         started        signatures13 process14 file15 121 C:\Users\user\AppData\...\baowfpns.cmdline, Unicode 59->121 dropped 165 Injects code into the Windows Explorer (explorer.exe) 59->165 167 Writes to foreign memory regions 59->167 169 Allocates memory in foreign processes 59->169 171 Creates a thread in another existing process (thread injection) 59->171 79 cmd.exe 59->79         started        82 explorer.exe 59->82 injected 85 csc.exe 59->85         started        173 Powershell is started from unusual location (likely to bypass HIPS) 63->173 175 Found suspicious powershell code related to unpacking or dynamic code loading 63->175 177 Reads the Security eventlog 63->177 123 C:\ProgramData\IntelDriver\AarSvcw.dll, PE32+ 65->123 dropped 88 csc.exe 67->88         started        90 cmd.exe 67->90         started        179 Reads the System eventlog 69->179 92 csc.exe 69->92         started        94 cmd.exe 69->94         started        signatures16 process17 dnsIp18 189 Suspicious powershell command line found 79->189 191 Wscript starts Powershell (via cmd or directly) 79->191 193 Encrypted powershell cmdline option found 79->193 96 powershell.exe 79->96         started        129 45.74.16.89, 49692, 49694, 6606 M247GB United States 82->129 131 zereoo.duckdns.org 194.59.31.2, 49691, 7707 COMBAHTONcombahtonGmbHDE Germany 82->131 195 System process connects to network (likely due to code injection or exploit) 82->195 197 Tries to harvest and steal browser information (history, passwords, etc) 82->197 115 C:\Users\user\AppData\Local\...\baowfpns.dll, PE32 85->115 dropped 99 cvtres.exe 85->99         started        117 C:\Users\user\AppData\Local\...\u3uo4jqb.dll, PE32 88->117 dropped 101 cvtres.exe 88->101         started        119 C:\Users\user\AppData\Local\...\pejy1apv.dll, PE32 92->119 dropped 103 cvtres.exe 92->103         started        file19 signatures20 process21 file22 107 C:\Users\user\AppData\...\IntelDriverTask.xml, XML 96->107 dropped 105 schtasks.exe 96->105         started        process23
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/afb836456231f7b679809cdf7a3a9994732027f07b97340dfa0d4c8260736979
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afb836456231f7b679809cdf7a3a9994732027f07b97340dfa0d4c8260736979/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.Cryptoload
Link:
https://tip.neiki.dev/file/afb836456231f7b679809cdf7a3a9994732027f07b97340dfa0d4c8260736979
Threat name:
Script-JS.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-07-21 12:52:20 UTC
File Type:
Text (JavaScript)
AV detection:
6 of 22 (27.27%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v64dmrlcgh33m6mattpxuouzsrzsaj7qpoltidp2bvgieydtnf4q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
4fdc01f9adfa9a74bd03c27fa804ba5e75942259d2bffdf9392acf8b87fba079
AsyncRAT
78ca4a3aa6a2d53756647b8be5e3c3549a673763f9ef1a62cb43e2eb77a49e43
AsyncRAT
bb61e58f11e979f287a40449ddb0172abbe28c96b2c04a6b3560a3f6d536539d
AsyncRAT
error
AsyncRAT
fdf4b3b369c23a82e39b41a43597e9bed789c4aa3fff2a210e554562c06c3e3c
AsyncRAT
+ 2'207 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250721-p37htatzas/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afb836456231f7b679809cdf7a3a9994732027f07b97340dfa0d4c8260736979

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments