MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c927f754a367cec65dde372e6955d1d70e52a04a4bee037e244df2f74125d75f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	c927f754a367cec65dde372e6955d1d70e52a04a4bee037e244df2f74125d75f
SHA3-384 hash:	c3151534fc76a3fc38395098e1c192fc9fc30f235b85b06e069c0e4b45b02adf24756cbe0fae1f54ca5ad1ebe4ca5014
SHA1 hash:	184776ffc2b587c82192c1b34c5062b2f91a4519
MD5 hash:	9994d0ed9cf5fc8740b6173eaa7a649a
humanhash:	maine-nuts-jupiter-magnesium
File name:	9994d0ed9cf5fc8740b6173eaa7a649a.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	5'389'392 bytes
First seen:	2026-02-12 07:28:12 UTC
Last seen:	2026-02-12 08:24:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'840 x AgentTesla, 19'772 x Formbook, 12'296 x SnakeKeylogger)
ssdeep	98304:+s3/ywOPmMe2uUyWIim0B64vecbAkTGg54TItQvddo:7awLIuU7IcB64tCg54ktQv7o
Threatray	78 similar samples on MalwareBazaar
TLSH	T16A46123137E86A4DF1BA97B45875599027F3F853F320C60DB9D550DE0DA1B8AA223B23
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

9994d0ed9cf5fc8740b6173eaa7a649a.exe

Verdict:

Malicious activity

Analysis date:

2026-02-12 07:30:59 UTC

Tags:

generic stealer rat

Link:

https://app.any.run/tasks/b7992e44-e772-446f-8b48-019205a3d7a4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53097/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.79495681.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698d8117edd9327103462ea5

Tags:

injection obfusc micro

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Connection attempt to an infection source

Creating a file

Query of malicious DNS domain

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

expired-cert invalid-signature obfuscated obfuscated powershell signed vbnet

Link:

https://www.filescan.io/uploads/698d810f16ebb08a9467201a/reports/c3d8dbed-0cba-4aed-bced-84e68802b0b5/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/c927f754a367cec65dde372e6955d1d70e52a04a4bee037e244df2f74125d75f

Verdict:

Clean

File Type:

exe x32

First seen:

2026-02-11T17:44:00Z UTC

Last seen:

2026-02-11T18:14:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/c927f754a367cec65dde372e6955d1d70e52a04a4bee037e244df2f74125d75f/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/01e3a325-3924-4da1-9b07-d3e812a13f0c

Result

Threat name:

DcRat, KeyLogger, StormKitty, VenomRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1868189

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

Connects to a pastebin service (likely for C&C)

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected BrowserPasswordDump

Yara detected DcRat

Yara detected Keylogger Generic

Yara detected StormKitty Stealer

Yara detected VenomRAT

Behaviour

Behavior Graph:

Download SVG

Score:

93%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c927f754a367cec65dde372e6955d1d70e52a04a4bee037e244df2f74125d75f

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c927f754a367cec65dde372e6955d1d70e52a04a4bee037e244df2f74125d75f/

Verdict:

Malicious

Threat:

Family.ASYNCRAT

Link:

https://tip.neiki.dev/file/c927f754a367cec65dde372e6955d1d70e52a04a4bee037e244df2f74125d75f

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-02-12 07:29:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

171

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zet7ovfdm7hmmxo6g4xgsvor24hffickjpxag7rejxzpoqjf25pq._file

Verdict:

malicious

Label(s):

asyncrat

stormkitty

hiddenvnc

AsyncRAT

3f36a00de7a3e1784b8bbd6f91158417910c0203a96eb798e7801b2c442b0f69

AsyncRAT

6cf0d4b7fd3371e339d9e52aa97cf50c9f2d0e662329507579f645e83e7285fe

AsyncRAT

9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b

AsyncRAT

c9feb68275bd9e097ac71b17a4659c7734dabe06cf440b2cea2d06ecc13ead54

AsyncRAT

cbd6d67b967edef057f41ff0a516e827d9b3ad4d99a1ecc1b75e7fa9363101e9

AsyncRAT

error

AsyncRAT

+ 68 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:asyncrat family:stormkitty discovery rat stealer

Link:

https://tria.ge/reports/260212-jaslascz9g/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

AsyncRat

Asyncrat family

StormKitty

StormKitty payload

Stormkitty family

Unpacked files

SH256 hash:

c927f754a367cec65dde372e6955d1d70e52a04a4bee037e244df2f74125d75f

MD5 hash:

9994d0ed9cf5fc8740b6173eaa7a649a

SHA1 hash:

184776ffc2b587c82192c1b34c5062b2f91a4519

Link:

https://www.unpac.me/results/5c155846-bd29-4986-819f-a87f0202dab1/

Malware family:

DCRat

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c927f754a367/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c927f754a367cec65dde372e6955d1d70e52a04a4bee037e244df2f74125d75f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/53097/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample