MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c423866ee5ebe47fa4808882d30becc79d2fe167d62a78033951a1953c57dfc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	c423866ee5ebe47fa4808882d30becc79d2fe167d62a78033951a1953c57dfc5
SHA3-384 hash:	492547701db3f2baf9483ffd09ce34f36e43d05fa688c61552ec30e0a9d0367cd575a7d40543a3f8214cc58547b82b40
SHA1 hash:	4384fd9153860b025d5d6f8af2615407f3cf2fcc
MD5 hash:	62e877cc07f9611bb8ef7c9f3127998e
humanhash:	nevada-texas-princess-crazy
File name:	fallig.bat
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	6'763 bytes
First seen:	2025-08-14 09:06:37 UTC
Last seen:	Never
File type:	bat
MIME type:	text/x-msdos-batch
ssdeep	96:un4JEm2kmbZPdSL1I9tU2y3yBNDNoECNdkyNRhdaLxUxikj2YJa0:u4Jj2kUwo7LjDNWNdvMLxUxrj2YJa0
TLSH	T1F3D11D2E1087D14407B363BDD46D09E4DA1ED48B173491CC7EACE5CEEF3829B45A6ACA
Magika	batch
Reporter	0xb0mb3r
Tags:	AsyncRAT bat batch stager xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

asyncrat

ID:

File name:

https://www.dropbox.com/scl/fi/wbaioujnm9tgms5at7w15/Ausgangsrechnung_24018141.zip?rlkey=j7d68luhjm3k8ux0355qsautb&st=7mqvlcga&dl=1

Verdict:

Malicious activity

Analysis date:

2025-08-14 07:20:21 UTC

Tags:

webdav arch-doc python arch-exec rat asyncrat remote xworm

Link:

https://app.any.run/tasks/6c05f2fe-d65b-44dc-8ba9-dda02e8a2b27

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/21301/

Verdict:

Clean

Score:

N/A%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689da72f2018ee52f0249314

Tags:

n/a

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching a process

Searching for the window

Сreating synchronization primitives

Creating a file

Creating a window

Changing a file

Creating a process with a hidden window

Reading critical registry keys

Moving a recently created file

Replacing files

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

findstr lolbin obfuscated powershell

Link:

https://www.filescan.io/uploads/689da7352fbe0788fb1fc92b/reports/edf3fbad-0632-4b7d-94c0-33692ae30f6e/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/c423866ee5ebe47fa4808882d30becc79d2fe167d62a78033951a1953c57dfc5

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/c423866ee5ebe47fa4808882d30becc79d2fe167d62a78033951a1953c57dfc5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c423866ee5ebe47fa4808882d30becc79d2fe167d62a78033951a1953c57dfc5/

Verdict:

Malicious

Threat:

Trojan.Win32.Agent

Link:

https://tip.neiki.dev/file/c423866ee5ebe47fa4808882d30becc79d2fe167d62a78033951a1953c57dfc5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yqrym3xf5psh7jearcbngc7my6os7ylh2yvhqazzkgqzkpcx37cq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery execution

Link:

https://tria.ge/reports/250814-k24nba11gt/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c423866ee5ebe47fa4808882d30becc79d2fe167d62a78033951a1953c57dfc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	WIN_ClickFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:	ClickFix social engineering and malicious PowerShell commands