MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c081dcb1ca9b9ad0f308606d544a859597ead9653e4cd71f7c5cc0b248f3f81c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	c081dcb1ca9b9ad0f308606d544a859597ead9653e4cd71f7c5cc0b248f3f81c
SHA3-384 hash:	725f0613863c4697cf45fe0420c6b6d5c1ab198d0affafe697001ef97978f39dc0d5fd19269ca5aec51b6f6faeda3f87
SHA1 hash:	c227751791d00553a62a7d8f1c3c05511f74bfff
MD5 hash:	134c5ac8b6bdcda2926ebef307caabba
humanhash:	earth-wisconsin-lithium-august
File name:	dropped-payload.bin
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	325'120 bytes
First seen:	2025-04-04 05:36:25 UTC
Last seen:	2025-04-04 06:28:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:xSUymdX6BzeUqk05m/CpeIQcAaTn9IjUfiHYEBcX8yTpbtXBiWukH0As4a:RytBeHV/b9IofJEBcsyT19g9kUAs4
TLSH	T1C56423FC550AC483CAFD4278DCD30EE8D3B6179FB6A9E2CE4D6D696267017831452BA0
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	marsomx
Tags:	103-54-153-122 AsyncRAT Compilazioneprotetticopyright exe PureHVNC

marsomx_

c2: 103.54.153.122
cert:
Version: 3 (0x02)
Serial number: 1147548471200977484529535627714614139 (0x00dd0282032e50a369af1e9bc387d37b)
Algorithm ID: SHA512withRSA
Validity
Not Before: 10/03/2025 16:30:15 (dd-mm-yyyy hh:mm:ss) (250310163015Z)
Not After: 31/12/9999 23:59:59 (dd-mm-yyyy hh:mm:ss) (99991231235959Z)
Issuer
CN = Vtufxfqr
Subject
CN = Vtufxfqr
Fingerprints
MD5: 720fbaa32a54349d1abaf830983832f2
SHA1: 1119c824243e6c4a90c38675f4036edbe75508c9
SHA256: 8dfe0c3a3cbab7bc54dc15bb81fbd89278a2505bb6e590d850a37d5fe4b384db

Intelligence

File Origin

# of uploads :

# of downloads :

446

Origin country :

Vendor Threat Intelligence

Malware family:

asyncrat

ID:

File name:

dropped-payload.bin

Verdict:

Malicious activity

Analysis date:

2025-04-04 05:39:26 UTC

Tags:

stealer purehvnc rat asyncrat remote

Link:

https://app.any.run/tasks/af6c7a39-65cf-40b8-af23-92265192cd4c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/427/

Detection(s):

SecuriteInfo.com.Win32.BackdoorX-gen.17011.4867.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67ef70e6855e5ec5240dab15

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade obfuscated obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/67ef700540adfb5162b8bfbe/reports/08d6cf25-efcf-4c12-8ed7-cc77da6e864d/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/c081dcb1ca9b9ad0f308606d544a859597ead9653e4cd71f7c5cc0b248f3f81c

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f93616ac-c787-4e4b-afe1-65fb6cf8e420

Result

Threat name:

PureCrypter, AsyncRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1656244

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Detected PureCrypter Trojan

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Monitors registry run keys for changes

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Suricata IDS alerts for network traffic

Tries to harvest and steal Bitcoin Wallet information

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c081dcb1ca9b9ad0f308606d544a859597ead9653e4cd71f7c5cc0b248f3f81c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c081dcb1ca9b9ad0f308606d544a859597ead9653e4cd71f7c5cc0b248f3f81c/

Threat name:

ByteCode-MSIL.Trojan.Jalapeno

Status:

Malicious

First seen:

2025-04-04 05:37:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yca5zmoktonnb4yimbwvisufswl6vwlfhzgnoh34ltalesht7aoa._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery persistence privilege_escalation spyware stealer

Link:

https://tria.ge/reports/250404-ga7n4s1sbx/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Enumerates connected drives

Event Triggered Execution: Component Object Model Hijacking

Reads user/profile data of web browsers

Boot or Logon Autostart Execution: Active Setup

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b93d3cb1-b4b9-4f9d-90a6-208cc4a5120c

Unpacked files

SH256 hash:

c081dcb1ca9b9ad0f308606d544a859597ead9653e4cd71f7c5cc0b248f3f81c

MD5 hash:

134c5ac8b6bdcda2926ebef307caabba

SHA1 hash:

c227751791d00553a62a7d8f1c3c05511f74bfff

Link:

https://www.unpac.me/results/a8cee94d-72ca-408b-825b-f71eb6127ec8/

SH256 hash:

055ef5da09a8b050b41fcdf6a2981330acf37d26ad82d46222b69408e17dee70

MD5 hash:

95e8dc4f94b842b1c679df97dbb02c02

SHA1 hash:

144a6dea85e474ffae455976c61a42b8a97f375e

Link:

https://www.unpac.me/results/a8cee94d-72ca-408b-825b-f71eb6127ec8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c081dcb1ca9b9ad0f308606d544a859597ead9653e4cd71f7c5cc0b248f3f81c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

9513d78958f1ce15ca512e0e01b68fa3725e06ceff217f58ebbe450538f4c7f9

AsyncRAT

exe c081dcb1ca9b9ad0f308606d544a859597ead9653e4cd71f7c5cc0b248f3f81c

(this sample)

https://x.com/JAMESWT_WT/status/1907094667428037025

Dropped by

SHA256 9513d78958f1ce15ca512e0e01b68fa3725e06ceff217f58ebbe450538f4c7f9

Cape

https://www.capesandbox.com/analysis/427/

Dropped by

MD5 71b3d579e80bcf3191c39f3024b1b5f4

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample