MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
SHA3-384 hash: c286dd252ec238a211a6f9d526321969a50221f9b3e4f97c3b9d12bfcc38a182eb63fd9da578746f213751e218dd74b4
SHA1 hash: d7202ed12e96ae72b06507c31bcaa1c341d2e381
MD5 hash: 805ef0d13b176f08ad181cea3bb2ace0
humanhash: orange-texas-massachusetts-louisiana
File name:TT payment slip.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:519'168 bytes
First seen:2025-12-04 06:55:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:T6FKfeh2hb94dzCFycWJiWl3yZrY+pKpc/g+DIR:uIBmGFyFLlCBYNbR
Threatray 49 similar samples on MalwareBazaar
TLSH T12FB4122616C5DA16DAE513B11A32E37642BC6F5DA821C30ADEEFEDFF302A750A404753
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
172.245.93.109:9990

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.245.93.109:9990 https://threatfox.abuse.ch/ioc/1667492/

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ddfb8748-51db-4ba7-9929-b3225188ceab/
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
_e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4.exe
Verdict:
Malicious activity
Analysis date:
2025-12-04 07:11:07 UTC
Tags:
auto-sch-xml asyncrat netreactor
Link:
https://app.any.run/tasks/520328b6-1d8d-404d-a809-2a0a8881c4c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42402/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6931305d264b106bd646d756
Tags:
asyncrat stration shell spawn
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed vbnet
Link:
https://www.filescan.io/uploads/69313058bba50eaf0420906a/reports/72352c64-bcfc-4840-a1a0-ff5b5af876a8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-04T04:09:00Z UTC
Last seen:
2025-12-06T02:00:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.XWorm.gen Trojan.MSIL.Inject.sb Backdoor.MSIL.Crysan.b Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Taskun.sb Backdoor.MSIL.Crysan.sb Backdoor.MSIL.Crysan.fb Backdoor.MSIL.Crysan.d Backdoor.MSIL.Crysan.c
Link:
https://opentip.kaspersky.com/e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/07e16e1c-b511-44b5-9c53-711a16bc781e
Result
Threat name:
AsyncRAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1826176
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1826176 Sample: TT payment slip.exe Startdate: 04/12/2025 Architecture: WINDOWS Score: 100 44 shed.dual-low.part-0041.t-0009.t-msedge.net 2->44 46 shed.dual-low.part-0012.t-0009.t-msedge.net 2->46 48 4 other IPs or domains 2->48 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 12 other signatures 2->58 8 TT payment slip.exe 7 2->8         started        12 eupEpp.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\eupEpp.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpEAB8.tmp, XML 8->40 dropped 42 C:\Users\user\...\TT payment slip.exe.log, ASCII 8->42 dropped 60 Adds a directory exclusion to Windows Defender 8->60 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 MSBuild.exe 2 8->19         started        22 schtasks.exe 1 8->22         started        62 Multi AV Scanner detection for dropped file 12->62 24 schtasks.exe 12->24         started        26 MSBuild.exe 12->26         started        signatures6 process7 dnsIp8 64 Loading BitLocker PowerShell Module 14->64 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        32 conhost.exe 17->32         started        50 172.245.93.109, 49717, 9990 AS-COLOCROSSINGUS United States 19->50 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.52 Win 32 Exe x86
Link:
https://app.malva.re/file/805ef0d13b176f08ad181cea3bb2ace0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4nzt22ahr6jhuz2ht7pndf57iuuhyf5hoxnezaotwpkikpsx2h2a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
6ea09c48559f1730cd4e346d3b10791b9a5c9d4adb44079793fbe608b288af2b
AsyncRAT
93d8f58337eb1309d7fadafe6707dde3a7d20d65870d05a689b3c2f264e61193
AsyncRAT
d7491c4e7c1981c039189cf7b772dc0b532b0bb6fd53f255aeafc9bbde029927
AsyncRAT
error
AsyncRAT
f7f0d0bcd56c2b929b687aa0c15305be4f71495d0b1ce5609fed155ddb0c016c
AsyncRAT
+ 39 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:dec bots discovery execution persistence rat
Link:
https://tria.ge/reports/251204-hpyv7ab18c/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
172.245.93.109:9990
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0941bec7-a659-4e82-9ff7-17f5b9adf4d0
Unpacked files
SH256 hash:
e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
MD5 hash:
805ef0d13b176f08ad181cea3bb2ace0
SHA1 hash:
d7202ed12e96ae72b06507c31bcaa1c341d2e381
Link:
https://www.unpac.me/results/ff2b7492-fe89-41ca-8eae-e14f0f880af2/
SH256 hash:
820fff868397de25929bf0bbbf6b09645ac4f768f40975de5136a9cff03146e9
MD5 hash:
31290b157627016edf3a4668427de613
SHA1 hash:
2f399703cad1e10636a2bf962322f6764487e5f1
Detections:
win_asyncrat_w0
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
asyncrat
Create hunting rule
win_asyncrat_bytecodes
Create hunting rule
Link:
https://www.unpac.me/results/ff2b7492-fe89-41ca-8eae-e14f0f880af2/
SH256 hash:
defcd85e10da488092d226c075cfe700cc982580dcfe2a128bb61baf667c99ad
MD5 hash:
eb0c8b0b7d00fd05959cba51ffcd1ea9
SHA1 hash:
78d2cbb4354f8a0ecc2b0fda5ee8e6914fbbbc77
Detections:
win_asyncrat_w0
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
asyncrat
Create hunting rule
Link:
https://www.unpac.me/results/ff2b7492-fe89-41ca-8eae-e14f0f880af2/
SH256 hash:
03b25e10b537e1a71f03a80070bf0554b5a5b187c77b70625f6eeb0fd909165e
MD5 hash:
41a373685140e1916031f04e1dcd63a6
SHA1 hash:
2174ba74d331caa8d1e66455aefa6ba92a63c07e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ff2b7492-fe89-41ca-8eae-e14f0f880af2/
SH256 hash:
65ff3c159e0d6207aca43001079c062646d480ff9558454ac5666d5c0921ff70
MD5 hash:
2cc742abf147d316fb4243482b739fa7
SHA1 hash:
768f08baf401a952f2eb27cb0e9476d34a48f05b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/ff2b7492-fe89-41ca-8eae-e14f0f880af2/
Parent samples :
6e2b1a9ba0fb924774b35d3fe97e5ee232de78f7292fd7a79c678d6de974751a
d4ac4a98170b7b5606fc03e625be2973bd0f4ad38c653ba4db1558fead88dc0a
f50d4bf5151fc2f9f89ff48f4ead9ea615bc85a951b88a6d83d0dd53bd17a942
e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819
ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
de0892e8c62f21f2fb6669f8b4bf28a7bd9c014cc5820735491c44ce93fe0f09
549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721
SH256 hash:
525bb9ebdc8a3ec5ca82a6e1d5878ffd977931f7f944ac5aca9d533f79a4aea8
MD5 hash:
ed6b6d54079d5a27906bb623244d857b
SHA1 hash:
e7c23969271acdd7ef88f18aae514bd8017400f6
Detections:
win_asyncrat_w0
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
asyncrat
Create hunting rule
win_asyncrat_bytecodes
Create hunting rule
Link:
https://www.unpac.me/results/ff2b7492-fe89-41ca-8eae-e14f0f880af2/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3733d68078f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/42402/

Comments