MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c880eb64e7ffc7b6b75a4bd994ca8c0c98943ffd77ddfd918e2851d7a61887dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c880eb64e7ffc7b6b75a4bd994ca8c0c98943ffd77ddfd918e2851d7a61887dd
SHA3-384 hash: 05649129cf72619f5bfddc01ec2ad7c320e60e65f8769b09bf4368889b06425feb50e12d877c3e06739e03315ee70847
SHA1 hash: 9afdf9595b62e23a9822b5a29c3762d22945c46b
MD5 hash: 6d5c12b0a083f3ca5be7a37c41768bb6
humanhash: pennsylvania-october-arizona-shade
File name:64thServices.lnk.bin
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'660 bytes
First seen:2026-01-20 20:38:37 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8VOJI5UmtJ1TAY8PA+/2PyJi5VFfa4A+U/FIP4I0aA3yUUXQaR3+9h/LnU+Y+/vm:8R+1vJi5iNxfIPzXv3WzU+Yk
TLSH T1D631A2556FDA0339D2B2CA3B54F5E3424B33B950E9738F5D4280D29C2C55600E836F6B
Magika lnk
Reporter burger
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/f261dce7-20e4-4963-be6d-22de0447f265/
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26477.PshHeur.UNOFFICIAL
Create hunting rule

Lnk.Downloader.HTAAgent-9989400-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696fe7a1f3cf908ba506c774
Tags:
shell virus sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/c880eb64e7ffc7b6b75a4bd994ca8c0c98943ffd77ddfd918e2851d7a61887dd/results/dashboard
Payload URLs
URL
File name
https://gl1g7tts-5500.euw.devtunnels.ms/64/loader.exe
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd lolbin masquerade
Link:
https://www.filescan.io/uploads/696fe800abc6d3ca6deb74df/reports/f793dfd5-25cd-48ec-abbd-4b6579120784/overview
Verdict:
Malicious
Labled as:
LNK/Downloader.B suspicious application
Link:
https://www.hybrid-analysis.com/sample/c880eb64e7ffc7b6b75a4bd994ca8c0c98943ffd77ddfd918e2851d7a61887dd
Verdict:
Malicious
File Type:
lnk
First seen:
2026-01-20T17:54:00Z UTC
Last seen:
2026-01-21T12:58:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.WinLNK.Agent.gen Trojan.WinLNK.Agent.sb Trojan-Downloader.Win32.Agent.sba NetTool.TunnelVisualStudio.UDP.C&C
Link:
https://opentip.kaspersky.com/c880eb64e7ffc7b6b75a4bd994ca8c0c98943ffd77ddfd918e2851d7a61887dd/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1854386
Signature
Adds a directory exclusion to Windows Defender
AI detected malicious page (phishing or scam)
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Curl Download And Execute Combination
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1854386 Sample: 64thServices.lnk.bin.lnk Startdate: 20/01/2026 Architecture: WINDOWS Score: 100 54 gl1g7tts-5500.euw.devtunnels.ms 2->54 56 v3-euw.cluster.rel.tunnels.api.visualstudio.com 2->56 58 2 other IPs or domains 2->58 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for URL or domain 2->68 70 Windows shortcut file (LNK) starts blacklisted processes 2->70 72 7 other signatures 2->72 10 cmd.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 signatures5 82 Windows shortcut file (LNK) starts blacklisted processes 10->82 15 cmd.exe 1 10->15         started        17 curl.exe 2 10->17         started        21 conhost.exe 1 10->21         started        process6 dnsIp7 23 loader.exe 15 15->23         started        27 conhost.exe 15->27         started        50 tunnels-prod-rel-euw-v3-cluster.westeurope.cloudapp.azure.com 20.103.221.187, 443, 49687, 49688 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->50 52 127.0.0.1 unknown unknown 17->52 44 C:\Users\user\AppData\Local\Temp\loader.exe, PE32+ 17->44 dropped file8 process9 file10 46 C:\Windows\System32\kyzbuyfe.exe, PE32+ 23->46 dropped 74 Windows shortcut file (LNK) starts blacklisted processes 23->74 76 Multi AV Scanner detection for dropped file 23->76 78 Suspicious powershell command line found 23->78 80 Adds a directory exclusion to Windows Defender 23->80 29 powershell.exe 23 23->29         started        32 chrome.exe 2 23->32         started        35 cmd.exe 1 23->35         started        signatures11 process12 dnsIp13 84 Loading BitLocker PowerShell Module 29->84 37 conhost.exe 29->37         started        39 WmiPrvSE.exe 29->39         started        48 192.168.2.5, 138, 443, 49184 unknown unknown 32->48 41 chrome.exe 32->41         started        signatures14 process15 dnsIp16 60 64th-service.sellhub.cx 172.66.40.250, 443, 49693, 49697 CLOUDFLARENETUS United States 41->60 62 www.google.com 142.250.72.164, 443, 49711 GOOGLEUS United States 41->62 64 5 other IPs or domains 41->64
Verdict:
Malware
YARA:
2 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:cmd.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/6d5c12b0a083f3ca5be7a37c41768bb6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c880eb64e7ffc7b6b75a4bd994ca8c0c98943ffd77ddfd918e2851d7a61887dd/
Verdict:
Malicious
Threat:
Trojan.WinLNK.Agent
Link:
https://tip.neiki.dev/file/c880eb64e7ffc7b6b75a4bd994ca8c0c98943ffd77ddfd918e2851d7a61887dd
Threat name:
Win32.Trojan.WinLnk
Create hunting rule
Status:
Malicious
First seen:
2026-01-20 20:37:54 UTC
File Type:
Binary
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcaowzhh77d3nn22jpmzjsumbsmjip75o7o73emofbi5pjqyq7oq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/260120-zfdx4aav5b/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Looks for VMWare Tools registry key
Looks for VMWare services registry key.
Enumerates VirtualBox registry keys
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c880eb64e7ffc7b6b75a4bd994ca8c0c98943ffd77ddfd918e2851d7a61887dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

rar f43f3b219f27796ee12728eab47196ca3f331f5daccbb3e010f82a860ec12367

AsyncRAT

Shortcut (lnk) lnk c880eb64e7ffc7b6b75a4bd994ca8c0c98943ffd77ddfd918e2851d7a61887dd

(this sample)

AsyncRAT

Executable exe b16756643fcb46ccf70dddf40b9cfdb0a6cac16296c2d5a14cc684b3e732e489

  
Dropping
SHA256 b16756643fcb46ccf70dddf40b9cfdb0a6cac16296c2d5a14cc684b3e732e489
  
Dropping
SHA256 b6b8231cfbb3eb07ecfc10da7e3a67071ef5a53243c113aa74f870734e8d17c3
  
Dropped by
SHA256 f43f3b219f27796ee12728eab47196ca3f331f5daccbb3e010f82a860ec12367
  
Dropped by
MD5 8d5ee25b163aab31fddc2489a58829ce
  
Dropping
MD5 b8e855ff4be0cd4c65c442f696a992fe
  
Dropping
MD5 312c77c62d257957da6aab50f3f63ba2

Comments