MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eae00f35df37b967e5876281d5ef6dd2c46516c59381d93078ab16278c5e1712. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eae00f35df37b967e5876281d5ef6dd2c46516c59381d93078ab16278c5e1712
SHA3-384 hash: 0160f4a5f812bed16039a3693689ceb65348f77c8034595824a4b0d1dd2ead03da028d44e124614c10dd7caa82d91cb1
SHA1 hash: faa344155fed1581f9281487168fd7407ef24c83
MD5 hash: 72d504e45323c1441110ba842ed06f95
humanhash: apart-alpha-michigan-double
File name:WpsSetup.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:4'538'515 bytes
First seen:2025-09-19 10:46:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c38362e0e37590c08f252fc98b1f0136 (11 x ValleyRAT, 1 x Blackmoon, 1 x AsyncRAT)
ssdeep 98304:RUZXSBbedKA9koXQGktxoq1I2DH2947K/Hk3nbmb9n1:Rs9NXQGaxoq1I2b24zi3
TLSH T1072633CB7180AA8ACE7416B3115B89E48B37FEFE96720146E1D532981CFB9B71437136
TrID 63.4% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
4.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter ertutioabcd
Tags:agent AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
WpsSetup.exe
Verdict:
Malicious activity
Analysis date:
2025-09-19 10:53:21 UTC
Tags:
upx netreactor auto-sch rat asyncrat remote
Link:
https://app.any.run/tasks/494b75e1-252e-41ed-9aca-fdc90481de19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28329/
Detection(s):
SecuriteInfo.com.W32.Graftor.B.gen.Eldorado.4713.16185.UNOFFICIAL
Create hunting rule

Win.Malware.Bulz-10016535-0
Create hunting rule

Win.Malware.Vindor-10034624-0
Create hunting rule

Win.Malware.Vindor-10034625-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cd34ca246a2631bd310869
Tags:
autorun spawn virus sage
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto fingerprint keylogger microsoft_visual_cc overlay overlay packed packed packed packed upx
Link:
https://www.filescan.io/uploads/68cd34a6390649f7a5f386d2/reports/ac0a2935-f09d-45bc-8acc-2f3af63dea21/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/eae00f35df37b967e5876281d5ef6dd2c46516c59381d93078ab16278c5e1712
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-19T07:49:00Z UTC
Last seen:
2025-09-19T07:49:00Z UTC
Hits:
~10
Detections:
Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Shellcode.sb Backdoor.MSIL.Crysan.sb Trojan.Win32.Agent.sb Backdoor.MSIL.Crysan.d HEUR:Backdoor.MSIL.Crysan.gen Trojan.MSIL.Donut.sb Trojan.Agentb.TCP.C&C Backdoor.MSIL.Agent.sb Backdoor.DCRat.TCP.C&C
Link:
https://opentip.kaspersky.com/eae00f35df37b967e5876281d5ef6dd2c46516c59381d93078ab16278c5e1712/results?tab=lookup
Malware family:
CryptoNick Soft™
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c0d83fcb-a5a6-4fca-94a0-c4930e58c8b6
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eae00f35df37b967e5876281d5ef6dd2c46516c59381d93078ab16278c5e1712
Verdict:
Malware
YARA:
5 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Managed .NET PE (Portable Executable) PE File Layout SFX 7z SOS: 0.88 Win 32 Exe x86
Link:
https://app.malva.re/file/72d504e45323c1441110ba842ed06f95
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eae00f35df37b967e5876281d5ef6dd2c46516c59381d93078ab16278c5e1712/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-19 10:47:34 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lqa6no7g64wpzmhmka5l33n2lcgkfwfsoa5smdyvmlcpdc6c4ja._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat adware defense_evasion discovery execution persistence rat spyware upx
Link:
https://tria.ge/reports/250919-mvfn1ssrt8/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
UPX packed file
Checks computer location settings
Executes dropped EXE
Creates new service(s)
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Verdict:
Malicious
Tags:
Win.Malware.Bulz-10016535-0 TA_Abused_Service
YARA:
n/a
Link:
https://app.threat.zone/submission/86411bda-0612-4673-8b1f-5cda637ef4a2
Unpacked files
SH256 hash:
eae00f35df37b967e5876281d5ef6dd2c46516c59381d93078ab16278c5e1712
MD5 hash:
72d504e45323c1441110ba842ed06f95
SHA1 hash:
faa344155fed1581f9281487168fd7407ef24c83
Link:
https://www.unpac.me/results/6c82c9b2-b1b2-41d3-b76c-c14ccde21519/
SH256 hash:
24cba021e9524ca9c8276dec97046ac0440ac5c85a966c174aa9a9827862e45f
MD5 hash:
e662f76eaaffd1119d238dfcffaf11d7
SHA1 hash:
e9146d2be4a7c45e43c6cb66fef876e15a95fea6
Link:
https://www.unpac.me/results/6c82c9b2-b1b2-41d3-b76c-c14ccde21519/
SH256 hash:
c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8
MD5 hash:
b52ba2b99108c496389ae5bb81fa6537
SHA1 hash:
9073d8c4a1968be24357862015519f2afecd833a
Link:
https://www.unpac.me/results/6c82c9b2-b1b2-41d3-b76c-c14ccde21519/
SH256 hash:
37649b899073d9a55225aca8ba8b48fb1eacc732a7187215d4ba8012f53bc48d
MD5 hash:
10a308c543baff12708b01b4cde9b236
SHA1 hash:
7a74b4fb7e405d59c29b47d248e9c646526a3aac
Link:
https://www.unpac.me/results/6c82c9b2-b1b2-41d3-b76c-c14ccde21519/
SH256 hash:
9bb2a5770f9d4b49ee5f42a43f83012d3ed4c2fb8471e7d1479bea598c58776e
MD5 hash:
8b762f5dca4074a4187ea10ba0d1705a
SHA1 hash:
0befde7e83a3211222908e1b521302ce93eb3631
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6c82c9b2-b1b2-41d3-b76c-c14ccde21519/
SH256 hash:
2b9e50fadedbd01afe3a5b354376742515beafa23e3ed1488b42721a548bae90
MD5 hash:
31b7f58ef00d1bab980efabadd701b1b
SHA1 hash:
916a1d536ab1842add739241f431bc9672a4c719
Link:
https://www.unpac.me/results/6c82c9b2-b1b2-41d3-b76c-c14ccde21519/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eae00f35df37b967e5876281d5ef6dd2c46516c59381d93078ab16278c5e1712

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe eae00f35df37b967e5876281d5ef6dd2c46516c59381d93078ab16278c5e1712

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28329/

Comments