MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4df2a01354e8128c6e6b9d91995efc93481baf7e9eb9fe2f2d549fd08732e2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4df2a01354e8128c6e6b9d91995efc93481baf7e9eb9fe2f2d549fd08732e2f
SHA3-384 hash: cb6984aecdbe6d9da3c65413cff32c8cf5adf8ae47457cfe74bed18e630f7b4b66059594b19530cb4c27d47f7381f3e8
SHA1 hash: d905be9418ff8a6f16325e0bb3aca781740b1410
MD5 hash: 194bb1d96b8cebf5105a29978a5770c1
humanhash: montana-vegan-may-utah
File name:jdk.jar
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'967'190 bytes
First seen:2026-02-05 15:12:19 UTC
Last seen:Never
File type:Java file jar
MIME type:application/java-archive
ssdeep 49152:JWBmMehQOTAEOLoCx/cCB5Dpkm/f1g0XI9oRUczqUe6Q4w:JWBmMeGaAXLoiP3N9XI9kUczq76Qr
TLSH T174952313A24DCBADDC62B5B732E30F8A742B843CB158A19B46CB58DC2154EBF0398DD5
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter abuse_ch
Tags:AsyncRAT jar

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
jdk.jar
Verdict:
Malicious activity
Analysis date:
2026-02-05 14:19:27 UTC
Tags:
java asyncrat rat dcrat remote darkcrystal github rustdesk
Link:
https://app.any.run/tasks/73a953bf-4af8-4201-ba46-cf7f012d492a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51947/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6984a504117f8ed80109be8e
Tags:
n/a
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/b4df2a01354e8128c6e6b9d91995efc93481baf7e9eb9fe2f2d549fd08732e2f
Verdict:
Malicious
File Type:
jar
First seen:
2026-02-05T11:18:00Z UTC
Last seen:
2026-02-06T18:12:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.DInvoke.sb HEUR:Backdoor.Java.Crysan.gen Backdoor.MSIL.Darkrat.sb Backdoor.MSIL.Crysan.sb Backdoor.MSIL.Crysan.d Backdoor.MSIL.Agent.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/b4df2a01354e8128c6e6b9d91995efc93481baf7e9eb9fe2f2d549fd08732e2f/results?tab=lookup
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1864058
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Child Process of AspNetCompiler
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Unusual module load detection (module proxying)
Yara detected AsyncRAT
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1864058 Sample: jdk.jar Startdate: 05/02/2026 Architecture: WINDOWS Score: 100 38 vendasdecasas21.shop 2->38 40 vendasdecasas21.online 2->40 42 3 other IPs or domains 2->42 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 15 other signatures 2->60 9 cmd.exe 2 2->9         started        signatures3 process4 process5 11 java.exe 2 21 9->11         started        16 conhost.exe 9->16         started        dnsIp6 50 vendasdecasas21.shop 212.64.210.140, 49687, 49693, 49698 RACKSPACE-LONGB Turkey 11->50 36 C:\Users\user\...\jna6729962237512340039.dll, PE32 11->36 dropped 74 Found many strings related to Crypto-Wallets (likely being stolen) 11->74 18 aspnet_compiler.exe 15 4 11->18         started        23 aspnet_compiler.exe 2 11->23         started        25 aspnet_compiler.exe 3 11->25         started        27 2 other processes 11->27 file7 signatures8 process9 dnsIp10 44 github.com 140.82.114.3, 443, 49694 GITHUBUS United States 18->44 46 release-assets.githubusercontent.com 185.199.111.133, 443, 49695 FASTLYUS Netherlands 18->46 34 C:\Users\user\...\Update_1.6.0_34-b05.exe, PE32+ 18->34 dropped 62 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 18->62 64 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->64 66 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 18->66 68 Queries memory information (via WMI often done to detect virtual machines) 18->68 29 Update_1.6.0_34-b05.exe 19 18->29         started        48 149.248.76.144, 49699, 56004 COEXTRO-01CA Canada 23->48 70 Found many strings related to Crypto-Wallets (likely being stolen) 23->70 72 Tries to harvest and steal Bitcoin Wallet information 23->72 32 Update_1.6.0_34-b05.exe 25->32         started        file11 signatures12 process13 dnsIp14 52 65.38.120.100, 21115, 21116, 49551 SRS-6-Z-7381US United States 29->52
Score:
65%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/b4df2a01354e8128c6e6b9d91995efc93481baf7e9eb9fe2f2d549fd08732e2f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4df2a01354e8128c6e6b9d91995efc93481baf7e9eb9fe2f2d549fd08732e2f/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/b4df2a01354e8128c6e6b9d91995efc93481baf7e9eb9fe2f2d549fd08732e2f
Threat name:
ByteCode-JAVA.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-05 14:11:18 UTC
File Type:
Binary (Archive)
Extracted files:
158
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtpsuajvj2asrrxgxhmrtfppze2idoxx5hvz7yxs2ve72cdtfyxq._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:tk-lt-11 discovery rat
Link:
https://tria.ge/reports/260205-slde7ahv2d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
vendasdecasas21.online:5038
vendasdecasas21.shop:5038
vendasdecasas21.site:5038
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b4df2a01354e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b4df2a01354e8128c6e6b9d91995efc93481baf7e9eb9fe2f2d549fd08732e2f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51947/

Comments