MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b28ce2eeb9e4b5552908aa5c0b1515df29a2a9d7e6a8b4b4501ef8ee01e9810d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b28ce2eeb9e4b5552908aa5c0b1515df29a2a9d7e6a8b4b4501ef8ee01e9810d
SHA3-384 hash: dafd0957620351a98616cf170ceaf8ca865c451ef495bfdd5307b0bf68249366c7a506ba1348e7cfc0ebe4d0071e81fc
SHA1 hash: 9cd4c8a03aaa3f0997cf5ac61ca8f7aa7e6db52b
MD5 hash: 4ec98457f0fd1edf2f4c282daea7cd55
humanhash: mobile-alaska-robin-eighteen
File name:LetsVPN.msi
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:13'405'696 bytes
First seen:2026-06-18 08:45:25 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:B12pvEdyg59GgOLbjBiS63T1jZsjT713:B1WWCBif3T1jZsjTB
TLSH T1A0D62321A68FC636E16D017BD83EAE0EA1397DA7033041CBA3F4799E2D714C15A7D792
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:AsyncRAT msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
Link:
https://research.acce.ciphertechsolutions.com/results/68491aa2-511d-48f5-9826-6687b33151c4/
Detection:
HijackLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71131/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a33b06454a045c3408a1deb
Tags:
fakeapp virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 CAB cmd crypto expand expired-cert explorer fingerprint installer keylogger lolbin lolbin msiexec packed reconnaissance reconnaissance short-lived-cert wix
Link:
https://www.filescan.io/uploads/6a33b0499799578a6c3f63cd/reports/2235b733-9408-4566-9781-cb712b448fba/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b28ce2eeb9e4b5552908aa5c0b1515df29a2a9d7e6a8b4b4501ef8ee01e9810d
Verdict:
Malicious
File Type:
msi
First seen:
2026-06-17T16:46:00Z UTC
Last seen:
2026-06-19T00:26:00Z UTC
Hits:
~10
Detections:
Backdoor.DCRat.TCP.C&C Trojan.Win32.Shellcode.qrs Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/b28ce2eeb9e4b5552908aa5c0b1515df29a2a9d7e6a8b4b4501ef8ee01e9810d/results?tab=lookup
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1929835
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Yara detected AsyncRAT
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1929835 Sample: LetsVPN.msi Startdate: 18/06/2026 Architecture: WINDOWS Score: 100 99 beacons3.gvt2.com 2->99 101 beacons2.gvt2.com 2->101 103 3 other IPs or domains 2->103 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 7 other signatures 2->125 12 msiexec.exe 81 35 2->12         started        16 msiexec.exe 15 2->16         started        18 wefault.exe 2->18         started        20 26 other processes 2->20 signatures3 process4 dnsIp5 83 C:\Windows\Installer\MSIA41B.tmp, PE32+ 12->83 dropped 85 C:\Windows\Installer\MSI9B10.tmp, PE32 12->85 dropped 87 C:\Windows\Installer\MSI9AD1.tmp, PE32 12->87 dropped 95 3 other malicious files 12->95 dropped 141 Drops executables to the windows directory (C:\Windows) and starts them 12->141 23 MSIA41B.tmp 1 12->23         started        25 msiexec.exe 1 12->25         started        27 msiexec.exe 12->27         started        89 C:\Users\user\AppData\Local\...\MSIA529.tmp, PE32 16->89 dropped 91 C:\Users\user\AppData\Local\...\MSIA4EA.tmp, PE32 16->91 dropped 93 C:\Users\user\AppData\Local\...\MSI873F.tmp, PE32 16->93 dropped 97 7 other malicious files 16->97 dropped 29 wefault.exe 18->29         started        105 192.168.2.6, 443, 49680, 49681 unknown unknown 20->105 107 127.0.0.1 unknown unknown 20->107 143 Changes security center settings (notifications, updates, antivirus, firewall) 20->143 31 chrome.exe 20->31         started        34 MpCmdRun.exe 20->34         started        36 WerFault.exe 20->36         started        file6 signatures7 process8 dnsIp9 38 AAA.exe 13 23->38         started        41 ChromeSetup.exe 7 25->41         started        43 wefault.exe 29->43         started        46 WerFault.exe 29->46         started        111 www.google.com 142.251.157.119, 443, 49716 GOOGLE-GoogleLLCUS United States 31->111 113 play.google.com 142.251.210.142, 443, 49711, 49712 GOOGLE-GoogleLLCUS United States 31->113 115 17 other IPs or domains 31->115 48 conhost.exe 34->48         started        process10 file11 73 C:\ProgramData\python\wefault.exe, PE32 38->73 dropped 75 C:\ProgramData\python\...\wefault.exe, PE32+ 38->75 dropped 77 C:\ProgramData\python\...\vcruntime140.dll, PE32+ 38->77 dropped 81 4 other malicious files 38->81 dropped 50 wefault.exe 38->50         started        79 C:\Windows\SystemTemp\...\updater.exe, PE32 41->79 dropped 52 updater.exe 20 14 41->52         started        131 Adds a directory exclusion to Windows Defender 43->131 56 powershell.exe 43->56         started        signatures12 process13 file14 58 wefault.exe 1 6 50->58         started        71 C:\Program Files (x86)behaviorgraphoogle\...\updater.exe, PE32 52->71 dropped 127 Drops executables to the windows directory (C:\Windows) and starts them 52->127 62 updater.exe 52->62         started        129 Loading BitLocker PowerShell Module 56->129 64 conhost.exe 56->64         started        signatures15 process16 dnsIp17 109 124.156.169.80, 49747, 8000 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Hong Kong SAR China 58->109 133 Bypasses PowerShell execution policy 58->133 135 Adds a directory exclusion to Windows Defender 58->135 137 Disables UAC (registry) 58->137 139 2 other signatures 58->139 66 powershell.exe 58->66         started        signatures18 process19 signatures20 117 Loading BitLocker PowerShell Module 66->117 69 conhost.exe 66->69         started        process21
Score:
92%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/b28ce2eeb9e4b5552908aa5c0b1515df29a2a9d7e6a8b4b4501ef8ee01e9810d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b28ce2eeb9e4b5552908aa5c0b1515df29a2a9d7e6a8b4b4501ef8ee01e9810d/
Verdict:
Malicious
Threat:
Trojan.Win32.TCP
Link:
https://tip.neiki.dev/file/b28ce2eeb9e4b5552908aa5c0b1515df29a2a9d7e6a8b4b4501ef8ee01e9810d
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-17 12:53:37 UTC
File Type:
Binary (Archive)
Extracted files:
355
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wkgof3vz4s2vkkiivjoawfiv34u2fkox42uljncqd34o4apjqegq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260618-kn81wagt2r/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Enumerates connected drives
Loads dropped DLL
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b28ce2eeb9e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b28ce2eeb9e4b5552908aa5c0b1515df29a2a9d7e6a8b4b4501ef8ee01e9810d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71131/

Comments