MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0962567f2ea0c674de5da865848031922d6c3fecc93bc9caf4ce5db4cccbf59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0962567f2ea0c674de5da865848031922d6c3fecc93bc9caf4ce5db4cccbf59
SHA3-384 hash: 233a455a1de3589a31a3342ad884da3e60984db9f27edea07426dfc994566c8284a3a21272d5019d4c72b300b8b77693
SHA1 hash: cba3f54ef0ead4cbf4dbb932503423958dd380ab
MD5 hash: df969a606ca3dfc280848f479395f526
humanhash: island-zebra-queen-robin
File name:df969a606ca3dfc280848f479395f526.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:324'608 bytes
First seen:2025-04-15 09:40:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:rBYEFwmS3N1DFJ4F6GV4FWAltEkjybcti4DUOJ7v5vCpCB5KrKycFeQF+LUk9s9s:rBJwmSdtDoVkZqcfDUObb5aYedLUkCKN
Threatray 229 similar samples on MalwareBazaar
TLSH T13B6423986F4AD633CFE4D173E0F2D3D28438FDBA7217AB6B5C9C1981284638224D99D4
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
489
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
df969a606ca3dfc280848f479395f526.exe
Verdict:
Malicious activity
Analysis date:
2025-04-15 09:43:09 UTC
Tags:
stealer purehvnc rat asyncrat remote
Link:
https://app.any.run/tasks/ccb8bacc-f938-4151-879c-3d25b4d76e5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2272/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fe30f5d6e7c3effad3568f
Tags:
obfuscate asyncrat xtreme micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67fe298ae9c1e25797999f3d/reports/d6196531-5ccc-439c-86b8-8fabe3ae2cb0/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/c0962567f2ea0c674de5da865848031922d6c3fecc93bc9caf4ce5db4cccbf59
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0650d348-8ed2-4477-bb13-fefd497d5401
Result
Threat name:
PureCrypter, AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1665191
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Detected PureCrypter Trojan
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c0962567f2ea0c674de5da865848031922d6c3fecc93bc9caf4ce5db4cccbf59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0962567f2ea0c674de5da865848031922d6c3fecc93bc9caf4ce5db4cccbf59/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-04-06 17:53:21 UTC
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yclckz7s5iggotpf3kdfqsaddernnq76zsj3zhfpjts5wtgmx5mq._file
Verdict:
malicious
Label(s):
unc_loader_044
Create hunting rule
Similar samples:
1a662bfa91c2a2baa4156cf93f2a7557710dce1dd2074f1bc8d4264d01841276
AsyncRAT
a41bf7d87976adc297aa44703f31eab78be9c3ac80c0d10d621c603b68963c36
AsyncRAT
a595ace755944f092e6d48168b760be8d5bc6b8447bea2accd97b19fe548703b
AsyncRAT
c081dcb1ca9b9ad0f308606d544a859597ead9653e4cd71f7c5cc0b248f3f81c
AsyncRAT
c0962567f2ea0c674de5da865848031922d6c3fecc93bc9caf4ce5db4cccbf59
AsyncRAT
c2683a84937dd45f25eb3d5d1adc10864ecdf710b5e7ef9f9f414f13005a4923
AsyncRAT
edddaad7146bb1ad8dcf41f8a2d257546339b4e0f68e6eb4bebda615742feaba
AsyncRAT
error
AsyncRAT
+ 219 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/250415-lnebyavyhv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/35ff93b0-798f-46a1-84a6-830274a9da99
Unpacked files
SH256 hash:
c0962567f2ea0c674de5da865848031922d6c3fecc93bc9caf4ce5db4cccbf59
MD5 hash:
df969a606ca3dfc280848f479395f526
SHA1 hash:
cba3f54ef0ead4cbf4dbb932503423958dd380ab
Link:
https://www.unpac.me/results/160d88c0-8eb9-41b0-bc71-a09ff6bc7860/
SH256 hash:
590999cc8737ba4e500c9674db814cf0f33b3cfd0749fbae61fc43e7f9886c25
MD5 hash:
c82af902729f6927d8a6ac771d7ed5bb
SHA1 hash:
a4c617fcad96111fb5729fa23c9ce09f4d7578ae
Link:
https://www.unpac.me/results/160d88c0-8eb9-41b0-bc71-a09ff6bc7860/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0962567f2ea0c674de5da865848031922d6c3fecc93bc9caf4ce5db4cccbf59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/2272/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments