MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b309a34d8f0fd69613d30cf544609536fd08e724ec3c8c42991fc91c2a5d3812. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b309a34d8f0fd69613d30cf544609536fd08e724ec3c8c42991fc91c2a5d3812
SHA3-384 hash: 3650ce453c74889732bdfca929e329fb77c44bddd9618126420e68e24a9def70326b1682d9cbb210c4f5facf7bea0fe0
SHA1 hash: 66fb81982cd8229469e71f533c6d3be8d2ab5007
MD5 hash: 5eff5fbf2110add294da3eb10c79299e
humanhash: mountain-sad-cola-autumn
File name:xegYmPC.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:5'161'529 bytes
First seen:2025-05-27 16:44:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (20 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 98304:+pOJrisWhInmSdcerdqwY4TSfo/0dR9+Sf9req0KO+PTVG0PNm:+p2QhInmSxI4Gfo8FRf9r1TvPQac
TLSH T15F36338133C4F9F1D9219AB28F5EE7235672D5A895B10E639FDD2E0A2D931C4260B1CF
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
https://google.com
Verdict:
Malicious activity
Analysis date:
2025-05-27 09:51:35 UTC
Tags:
loader amadey botnet stealer rdp themida lumma telegram evasion hijackloader miner gcleaner rat asyncrat remote auto generic antivm rust
Link:
https://app.any.run/tasks/ff3b9034-dcaf-4747-b1c8-e0c850e22ba5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5905/
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6835ed30668438e362e7776f
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer microsoft_visual_cc overlay overlay packed packer_detected
Link:
https://www.filescan.io/uploads/6835ec2a171e01f9592e9071/reports/d959e5aa-594e-4d03-981f-1c71a8e5f974/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b309a34d8f0fd69613d30cf544609536fd08e724ec3c8c42991fc91c2a5d3812
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2789ae8b-326d-4919-88c8-6e4b5eb96e58
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1700042
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1700042 Sample: xegYmPC.exe Startdate: 27/05/2025 Architecture: WINDOWS Score: 100 116 uplink-routes.asia 2->116 118 nodedock.shop 2->118 120 3 other IPs or domains 2->120 150 Suricata IDS alerts for network traffic 2->150 152 Malicious sample detected (through community Yara rule) 2->152 154 Multi AV Scanner detection for dropped file 2->154 156 2 other signatures 2->156 13 xegYmPC.exe 6 2->13         started        16 Infra-Co.exe 2->16         started        18 USilv.exe 2->18         started        signatures3 process4 file5 96 C:\Users\user\AppData\Local\...\ies_Core.dll, PE32 13->96 dropped 98 C:\Users\user\AppData\Local\Temp\USilv.exe, PE32 13->98 dropped 21 USilv.exe 9 13->21         started        100 C:\ProgramData\...\Infra-Co.exe, PE32 16->100 dropped 102 C:\ProgramData\...\Wex.Logger.dll, PE32 16->102 dropped 104 C:\ProgramData\...\Wex.Communication.dll, PE32 16->104 dropped 108 6 other files (none is malicious) 16->108 dropped 25 Infra-Co.exe 16->25         started        106 C:\Users\user\AppData\Local\...\840E9BA.tmp, PE32+ 18->106 dropped 144 Modifies the context of a thread in another process (thread injection) 18->144 146 Maps a DLL or memory area into another process 18->146 27 tcpvcon.exe 18->27         started        29 BetaContro.exe 18->29         started        signatures6 process7 file8 82 C:\ProgramData\Monmon5\USilv.exe, PE32 21->82 dropped 84 C:\ProgramData\Monmon5\ies_Core.dll, PE32 21->84 dropped 160 Switches to a custom stack to bypass stack traces 21->160 162 Found direct / indirect Syscall (likely to bypass EDR) 21->162 31 USilv.exe 8 21->31         started        86 C:\Users\user\AppData\Local\...\96D6514.tmp, PE32+ 25->86 dropped 164 Modifies the context of a thread in another process (thread injection) 25->164 166 Found hidden mapped module (file has been removed from disk) 25->166 168 Maps a DLL or memory area into another process 25->168 35 tcpvcon.exe 25->35         started        37 NeuroM.exe 25->37         started        39 conhost.exe 27->39         started        signatures9 process10 file11 110 C:\Users\user\AppData\Roaming\...\tcpvcon.exe, PE32 31->110 dropped 112 C:\Users\user\AppData\Local\...\6A54154.tmp, PE32+ 31->112 dropped 114 C:\ProgramData\BetaContro.exe, PE32+ 31->114 dropped 136 Modifies the context of a thread in another process (thread injection) 31->136 138 Found hidden mapped module (file has been removed from disk) 31->138 140 Maps a DLL or memory area into another process 31->140 142 2 other signatures 31->142 41 BetaContro.exe 2 31->41         started        46 tcpvcon.exe 3 31->46         started        48 conhost.exe 35->48         started        signatures12 process13 dnsIp14 126 nodedock.shop 104.21.1.69, 443, 49687 CLOUDFLARENETUS United States 41->126 128 uplink-routes.asia 104.21.96.1, 443, 49686, 49712 CLOUDFLARENETUS United States 41->128 88 C:\Users\user\AppData\...\jRE9kd1BncC299.exe, PE32 41->88 dropped 170 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->170 172 Tries to harvest and steal browser information (history, passwords, etc) 41->172 174 Writes to foreign memory regions 41->174 180 3 other signatures 41->180 50 jRE9kd1BncC299.exe 13 41->50         started        54 chrome.exe 2 41->54         started        176 Switches to a custom stack to bypass stack traces 46->176 178 Found direct / indirect Syscall (likely to bypass EDR) 46->178 57 conhost.exe 46->57         started        file15 signatures16 process17 dnsIp18 74 C:\Users\user\AppData\...\Wex.Logger.dll, PE32 50->74 dropped 76 C:\Users\user\...\Wex.Communication.dll, PE32 50->76 dropped 78 C:\Users\user\AppData\...\Wex.Common.dll, PE32 50->78 dropped 80 6 other malicious files 50->80 dropped 158 Multi AV Scanner detection for dropped file 50->158 59 Infra-Co.exe 7 50->59         started        124 192.168.2.7, 137, 138, 443 unknown unknown 54->124 63 chrome.exe 54->63         started        file19 signatures20 process21 dnsIp22 90 C:\Users\user\AppData\Roaming\...\tcpvcon.exe, PE32 59->90 dropped 92 C:\Users\user\AppData\Local\...\792A260.tmp, PE32+ 59->92 dropped 94 C:\ProgramData94euroM.exe, PE32+ 59->94 dropped 182 Modifies the context of a thread in another process (thread injection) 59->182 184 Found hidden mapped module (file has been removed from disk) 59->184 186 Maps a DLL or memory area into another process 59->186 188 Switches to a custom stack to bypass stack traces 59->188 66 tcpvcon.exe 59->66         started        69 NeuroM.exe 59->69         started        130 www.google.com 74.125.137.99, 443, 49696, 49701 GOOGLEUS United States 63->130 132 beacons.gcp.gvt2.com 63->132 134 beacons-handoff.gcp.gvt2.com 63->134 file23 signatures24 process25 dnsIp26 148 Switches to a custom stack to bypass stack traces 66->148 72 conhost.exe 66->72         started        122 flare-299.shop 104.21.112.1, 49710, 80 CLOUDFLARENETUS United States 69->122 signatures27 process28
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b309a34d8f0fd69613d30cf544609536fd08e724ec3c8c42991fc91c2a5d3812
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b309a34d8f0fd69613d30cf544609536fd08e724ec3c8c42991fc91c2a5d3812/
Threat name:
Win32.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-05-27 09:55:40 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wme2gtmpb7ljme6tbt2uiyevg36qrzze5q6iyquzd7eryks5haja._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250527-t9mt7sxks3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e2d1e977-a609-4213-b8e1-6a3048cd20d1
Unpacked files
SH256 hash:
eac6c2eed08f22820fd0c15b4270717b566b1d45e7de3c5eb2f037e5ab5c8ca0
MD5 hash:
e13fb3e45547d16f8d572ece1627fb19
SHA1 hash:
c203b7a66272e53abbe134fbbc552e8325f0c053
Link:
https://www.unpac.me/results/3b858d00-3c1c-4bb2-9a21-8cb8d21fb48a/
SH256 hash:
e4a5cce903ba24ffbe9b4ef71e1adfb40bac38952934b4070109a9633c408098
MD5 hash:
b0ce060b2fdee224fa2c02125dcaa71b
SHA1 hash:
f514da06af7a966ea96fb78b0f7ce6fa0826154c
Link:
https://www.unpac.me/results/3b858d00-3c1c-4bb2-9a21-8cb8d21fb48a/
SH256 hash:
b309a34d8f0fd69613d30cf544609536fd08e724ec3c8c42991fc91c2a5d3812
MD5 hash:
5eff5fbf2110add294da3eb10c79299e
SHA1 hash:
66fb81982cd8229469e71f533c6d3be8d2ab5007
Link:
https://www.unpac.me/results/3b858d00-3c1c-4bb2-9a21-8cb8d21fb48a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
SNC
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b309a34d8f0fd69613d30cf544609536fd08e724ec3c8c42991fc91c2a5d3812

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe b309a34d8f0fd69613d30cf544609536fd08e724ec3c8c42991fc91c2a5d3812

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/5905/
  
URLhaus
https://urlhaus.abuse.ch/url/3553487/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments