MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2
SHA3-384 hash: c5525183e303faee06384a0c06d577d4fd1a563699c795e16172e2caceca9ffd3a4f2678d80aee959c4a73c6f9db9708
SHA1 hash: 9829b856b1e8c821656e001b70e8ac2791debbd1
MD5 hash: 7a7312f1677bf2747cdd3be62d92fead
humanhash: table-hotel-crazy-pluto
File name:free.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:12'835'840 bytes
First seen:2026-02-04 10:27:01 UTC
Last seen:2026-02-04 11:34:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3237d9e15219482b63b98258b9769406 (1 x AsyncRAT)
ssdeep 196608:EPqjE661jnlYk2ptDP0U2QXk3kxoYNb2AHf9cOV9ud4NqGuoU:I3nYkw5P0NC0kJqA/BjMqru
Threatray 1 similar samples on MalwareBazaar
TLSH T1FCD623E9488562F4D4EB4A107087539F78C126AE45FC6C0A39D1BE521F42EFE254EFA3
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
SE SE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/c2ddac3d-35f7-4404-9cc7-bbca2da03bc1/
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
_c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2.exe
Verdict:
Malicious activity
Analysis date:
2026-02-04 10:27:47 UTC
Tags:
github devtunnel rmm-tool auto asyncrat rat loader
Link:
https://app.any.run/tasks/c73a8151-06d6-47d4-86a7-b97fbcbb3d07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51650/
Detection(s):
SecuriteInfo.com.Variant.Application.FCA.2631.26653.4652.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69831f349a60ec70d92cb5ee
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed vmprotect
Link:
https://www.filescan.io/uploads/69831f0d981ff1d38a47e6d5/reports/cd733d95-23d1-43a5-9786-1f85b7d1c32c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Link:
https://opentip.kaspersky.com/c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3fe7281e-7c6c-4eaa-a00c-606cc2cce77d
Result
Threat name:
AsyncRAT, Dacic, DcRat
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1863174
Signature
AI detected malicious page (phishing or scam)
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Dacic
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1863174 Sample: free.exe Startdate: 04/02/2026 Architecture: WINDOWS Score: 100 68 gl1g7tts-5500.euw.devtunnels.ms 2->68 70 v3-euw.cluster.rel.tunnels.api.visualstudio.com 2->70 72 5 other IPs or domains 2->72 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for URL or domain 2->102 104 13 other signatures 2->104 9 free.exe 19 2->9         started        14 WMIRegistrationServices.exe 3 2->14         started        signatures3 process4 dnsIp5 82 tunnels-prod-rel-euw-v3-cluster.westeurope.cloudapp.azure.com 20.103.221.187, 443, 49721, 49775 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->82 84 raw.githubusercontent.com 185.199.110.133, 443, 49704, 49768 FASTLYUS Netherlands 9->84 62 C:\Users\user\AppData\Local\...\1[1].pdb, PE32 9->62 dropped 64 C:\ProgramDatapic\...\manifest.pdb, PE32 9->64 dropped 66 C:\ProgramDatapic\...\manifest.exe (copy), PE32 9->66 dropped 106 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->106 108 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->108 110 Found direct / indirect Syscall (likely to bypass EDR) 9->110 16 manifest.exe 7 9->16         started        20 free.exe 17 9->20         started        22 cmd.exe 1 9->22         started        24 2 other processes 9->24 112 Antivirus detection for dropped file 14->112 114 Multi AV Scanner detection for dropped file 14->114 116 Queries memory information (via WMI often done to detect virtual machines) 14->116 file6 signatures7 process8 dnsIp9 56 C:\Users\user\...\WMIRegistrationServices.exe, PE32 16->56 dropped 58 C:\Users\user\AppData\...\manifest.exe.log, CSV 16->58 dropped 88 Protects its processes via BreakOnTermination flag 16->88 90 Queries memory information (via WMI often done to detect virtual machines) 16->90 27 cmd.exe 1 16->27         started        29 cmd.exe 1 16->29         started        60 C:\Users\user\AppData\Local\...\1[2].pdb, PE32 20->60 dropped 92 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->92 94 Found direct / indirect Syscall (likely to bypass EDR) 20->94 31 manifest.exe 2 20->31         started        33 chrome.exe 20->33         started        35 cmd.exe 20->35         started        96 Uses schtasks.exe or at.exe to add and modify task schedules 22->96 80 192.168.2.8, 138, 443, 49673 unknown unknown 24->80 37 chrome.exe 24->37         started        40 chrome.exe 24->40         started        42 chrome.exe 6 24->42         started        file10 signatures11 process12 dnsIp13 44 WMIRegistrationServices.exe 2 27->44         started        48 conhost.exe 27->48         started        50 timeout.exe 1 27->50         started        52 conhost.exe 29->52         started        54 schtasks.exe 1 29->54         started        74 142.250.188.14, 49705, 80 GOOGLEUS United States 37->74 76 142.250.191.14, 443, 49748 GOOGLEUS United States 37->76 78 19 other IPs or domains 37->78 process14 dnsIp15 86 157.97.11.134, 8080 NOVAIS-ASIS Iceland 44->86 118 Protects its processes via BreakOnTermination flag 44->118 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/7a7312f1677bf2747cdd3be62d92fead
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-04 05:15:27 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
12 of 36 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ypcglsdhamzskl7hiqcdests3x27cunrhqp4wim35nhirwsje2za._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2
AsyncRAT
error
AsyncRAT
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:up discovery rat
Link:
https://tria.ge/reports/260204-mg9d6sdz3a/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Contacts third-party web service commonly abused for C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
157.97.11.134:8080
Unpacked files
SH256 hash:
c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2
MD5 hash:
7a7312f1677bf2747cdd3be62d92fead
SHA1 hash:
9829b856b1e8c821656e001b70e8ac2791debbd1
Link:
https://www.unpac.me/results/eef7055b-f571-4a68-b4b2-65a9375b57a2/
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c3c465c86703/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe c3c465c8670333252fe74404324a72ddf5f151b13c1fcb219beb4e88da4926b2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3760442/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/51650/

Comments