MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c73eaa30f8c4690487b1aea47f40cc750d1759a5288afe3025652e77c5a994aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 19

Intelligence 19 IOCs 1 YARA 7 File information Comments

SHA256 hash:	c73eaa30f8c4690487b1aea47f40cc750d1759a5288afe3025652e77c5a994aa
SHA3-384 hash:	f42e3f1bbf06567969be80ca573a5bae894bc80f37d0bccdab12587cf8f7b48f3fd63da23da56a69d27ad952a942417d
SHA1 hash:	d78e7fe85361505b76551b64e234295c4b25d09d
MD5 hash:	4991728b389ea21d991c317a186b663e
humanhash:	delta-robert-mike-football
File name:	4991728B389EA21D991C317A186B663E.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	3'796'992 bytes
First seen:	2025-05-25 19:25:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	98304:QVR1EwUZrfbqMj6z+8mVa0vHoGa56WYBAPzKu6Y:QVRy1Zj+mA70/o0i2uR
TLSH	T1CC06CF23FA5745B2C25C1F77C9AB481053A4E9A27617D71E398F237A18C3BFB5A49203
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	abuse_ch
Tags:	AsyncRAT exe RAT

abuse_ch

AsyncRAT C2:
213.209.143.50:1414

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
213.209.143.50:1414	https://threatfox.abuse.ch/ioc/1534342/

Intelligence

File Origin

# of uploads :

# of downloads :

704

Origin country :

Vendor Threat Intelligence

Malware family:

asyncrat

ID:

File name:

4991728B389EA21D991C317A186B663E.exe

Verdict:

Malicious activity

Analysis date:

2025-05-25 19:28:09 UTC

Tags:

rat asyncrat remote netreactor stealer auto-startup purecrypter

Link:

https://app.any.run/tasks/a2f17cc3-6dcc-442d-9341-a7a9f6f474c8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.DownLoaderNET.1166.21947.26193.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68336fb344c3881e854d492b

Tags:

asyncrat autorun

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 lolbin net_reactor obfuscated packed packed packer_detected tracker

Link:

https://www.filescan.io/uploads/68336f18fd02ed5e058725b6/reports/e5dd8785-03fb-43b5-9a8e-2319174c43ea/overview

Verdict:

Malicious

Labled as:

Trojan.Mardom.MN.Generic

Link:

https://www.hybrid-analysis.com/sample/c73eaa30f8c4690487b1aea47f40cc750d1759a5288afe3025652e77c5a994aa

Malware family:

AsyncRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f2fe9069-4b5c-43ff-9bbb-37f475ea3a24

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1698869

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Drops script at startup location

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses threadpools to delay analysis

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c73eaa30f8c4690487b1aea47f40cc750d1759a5288afe3025652e77c5a994aa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c73eaa30f8c4690487b1aea47f40cc750d1759a5288afe3025652e77c5a994aa/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/c73eaa30f8c4690487b1aea47f40cc750d1759a5288afe3025652e77c5a994aa

Threat name:

ByteCode-MSIL.Backdoor.AsyncRAT

Status:

Malicious

First seen:

2025-05-22 13:07:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y47kumhyyruqjb5rv2sh6qgmougrownffcfp4mbfmuxhprnjssva._file

Verdict:

malicious

Label(s):

asyncrat

Similar samples:

error

AsyncRAT

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:all discovery rat spyware stealer

Link:

https://tria.ge/reports/250525-x5bg6ahj2t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

Drops startup file

Reads user/profile data of web browsers

Async RAT payload

AsyncRat

Asyncrat family

Malware Config

C2 Extraction:

jojo.ath.cx:1414

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/474b296d-b24d-4d24-9570-7aeba446bb5e

Unpacked files

SH256 hash:

c73eaa30f8c4690487b1aea47f40cc750d1759a5288afe3025652e77c5a994aa

MD5 hash:

4991728b389ea21d991c317a186b663e

SHA1 hash:

d78e7fe85361505b76551b64e234295c4b25d09d

Link:

https://www.unpac.me/results/ec208000-5ae4-4f30-a15c-993a4b98d682/

SH256 hash:

5a300e2affe9d813348f326193c103b1c24b14db115bf4e3e9f52e87365a8420

MD5 hash:

c59ad00d2d5618f1c87c2ef9092e11c3

SHA1 hash:

1966a0a88ad38d244e60bf23453af2b440b5a663

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ec208000-5ae4-4f30-a15c-993a4b98d682/

SH256 hash:

78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677

MD5 hash:

f9d2985aa1c41cca281321fffb5ed424

SHA1 hash:

3a7a58d2dcae2762882357ae34d372744b1dbb9d

Link:

https://www.unpac.me/results/ec208000-5ae4-4f30-a15c-993a4b98d682/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/ec208000-5ae4-4f30-a15c-993a4b98d682/

SH256 hash:

52f06fc105eaaac5c5a128473ea1cf4b6fc95376ec52de07466c4644f2d83387

MD5 hash:

cd61f96043a1b8b5df3ae87d8f052983

SHA1 hash:

790811f9759506bb1134f32f4d77e4a518a4a294

Detections:

win_asyncrat_w0

AsyncRAT

asyncrat

win_asyncrat_bytecodes

win_asyncrat_unobfuscated

INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Link:

https://www.unpac.me/results/ec208000-5ae4-4f30-a15c-993a4b98d682/

SH256 hash:

03d0afa250327bde1792254848446593017813ab0890084a9ae716b75214e352

MD5 hash:

ef0f50f006a9772a87f51b596690e41f

SHA1 hash:

cd3c3f4da8854ce78a69aaec8deae39d81ecb23e

Link:

https://www.unpac.me/results/ec208000-5ae4-4f30-a15c-993a4b98d682/

Malware family:

DCRat

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c73eaa30f8c4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c73eaa30f8c4690487b1aea47f40cc750d1759a5288afe3025652e77c5a994aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample