MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 19

Intelligence 19 IOCs YARA 1 File information Comments

SHA256 hash:	ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629
SHA3-384 hash:	7b1f260c60f3b9fe39305c6a63e370942fd5c6a07db15cdee48a6ef4b2231e5340aa8321c49356f0b9b0890b2a2d3087
SHA1 hash:	888a215745b9201e51483c43a57a3285f701528b
MD5 hash:	a04de842998d280a18024061dbf07153
humanhash:	east-skylark-lion-nebraska
File name:	ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	2'837'504 bytes
First seen:	2026-01-26 18:41:56 UTC
Last seen:	2026-01-27 08:35:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 18 x AsyncRAT, 17 x BlankGrabber)
ssdeep	49152:u470nRTwkgxdEm+/wR4E3Q+hR8YYvDiL+mQcqNtyuVgSV9p1kyeoe5ySvVU8X/gY:u470VwpGwR4ELR8YSmL+mQJXyoXVjeRj
Threatray	23 similar samples on MalwareBazaar
TLSH	T155D5D058558CBDE7F17812B051FB266B9D8DFD2B1A009C8620A31E4B74FE027FE21D69
TrID	38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 11.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.5% (.EXE) Win32 Executable (generic) (4504/4/1) 4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	Neiki
Tags:	AsyncRAT binder exe RAT StormKitty unambindernative

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

UnamBinder WorldWind

Details

UnamBinder

XOR decrypted component(s)

WorldWind

api configuration including a version, ownerid, and secret, and c2 socket addresses, a license key, a version, a mutex, AES-CBC decryption parameters, an SSL certificate and server signature, an interval, varying flags, and possibly a filepath and a group

Link:

https://research.acce.ciphertechsolutions.com/results/e283d8db-34e8-4048-90c0-3e0f5b9c17e9/

Malware family:

asyncrat

ID:

File name:

ExtremeInjectorv3.7.3.exe

Verdict:

Malicious activity

Analysis date:

2026-01-26 18:32:08 UTC

Tags:

github pastebin stealer stormkitty auto-reg telegram worldwind asyncrat rat xor-url generic ims-api api-base64 crypto-regex

Link:

https://app.any.run/tasks/a02d6217-fc92-4fcc-8ef1-bbe54833fb96

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

StormKitty

Link:

https://www.capesandbox.com/analysis/50266/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6977b3286fa3eed1652f39c8

Tags:

infosteal asyncrat autorun emotet

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6977b5914156786ccbd86fae/reports/dc333b57-fb8b-4970-8128-d4049f44305c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-26T15:36:00Z UTC

Last seen:

2026-01-27T00:27:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Banker.Win32.ClipBanker.gen PDM:Trojan.Win32.Generic BSS:Worm.Win32.BSS.ScreenLock BSS:Trojan.Win32.Generic.nblk Backdoor.Telebot.HTTP.C&C Backdoor.MSIL.Crysan.sb BSS:Trojan.Win32.Generic Trojan-Spy.TeleBot.HTTP.C&C HEUR:Trojan-PSW.MSIL.Stealer.gen HEUR:Trojan.Win64.Generic HEUR:Trojan.Win32.Generic HEUR:Backdoor.MSIL.SheetRat.gen BSS:Trojan.Win32.ImSKP.am Trojan-PSW.MSIL.Stealer.a Trojan-Banker.Win32.Express.sb HEUR:Trojan.MSIL.Shelpak.gen BSS:Exploit.Win32.Generic.nblk Trojan.Win32.Vimditator.sb Trojan-PSW.Win32.Coins.sb HEUR:Backdoor.MSIL.Crysan.gen Trojan-Banker.Win32.ClipBanker.sb HEUR:Trojan-Dropper.Win32.Agent.gen Trojan.Win32.Agent.sb Trojan-PSW.MSIL.WorldWind.sb Trojan-Downloader.MSIL.Enigma.sb not-a-virus:VHO:RiskTool.MSIL.Convagent.gen not-a-virus:VHO:RiskTool.MSIL.Injecter.gen not-a-virus:RiskTool.MSIL.Injector.v not-a-virus:VHO:RiskTool.MSIL.Generic

Link:

https://opentip.kaspersky.com/ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629/results?tab=lookup

Malware family:

Extreme Injector

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c737ce3c-3b2d-4a69-ae50-afd90209d9d8

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629/

Verdict:

Malicious

Threat:

Family.UNAMBINDERNATIVE

Link:

https://tip.neiki.dev/file/ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629

Threat name:

Win32.Dropper.Dapato

Status:

Malicious

First seen:

2026-01-26 18:32:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5qlt62ms5jviompyecrbgyik7gmvfa6pzumgasbykx25ngq4oyuq._file

Verdict:

malicious

Label(s):

stormkitty

asyncrat

AsyncRAT

7f2345635dd1b580bfce11006c4b0143e4c6c84f8a5039e8c92c6e27a05e829a

AsyncRAT

dc8decaba2fbe09e0ca95485ed06376e65ba7e77869868beecf8f937747a213f

AsyncRAT

ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629

AsyncRAT

error

AsyncRAT

+ 13 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:asyncrat family:stormkitty botnet:default defense_evasion discovery execution persistence privilege_escalation rat spyware stealer

Link:

https://tria.ge/reports/260126-xcjcase15a/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Hide Artifacts: Ignore Process Interrupts

Adds Run key to start application

Contacts third-party web service commonly abused for C2

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Obfuscated Files or Information: Command Obfuscation

Checks computer location settings

Executes dropped EXE

Prevents Microsoft Defender from scanning certain paths by adding an exclusion.

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Async RAT payload

AsyncRat

Asyncrat family

StormKitty

StormKitty payload

Stormkitty family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8498071055:AAHpkLnFSqcqoBJ5BRLXLoNzGKZN-fcRM_E/sendMessage?chat_id=5801620744

Unpacked files

SH256 hash:

ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629

MD5 hash:

a04de842998d280a18024061dbf07153

SHA1 hash:

888a215745b9201e51483c43a57a3285f701528b

Link:

https://www.unpac.me/results/5ef21c53-6834-44ed-a958-00af67652edd/

SH256 hash:

2956c92fe0596ceb5b3eb5576b16a6eac61494ddb5c2a41d544fee0abea9cfb0

MD5 hash:

e6f8d39dd63c77e30fe2124543542bcc

SHA1 hash:

342c86cf1a25134d402777a4add414d3c60c8469

Link:

https://www.unpac.me/results/5ef21c53-6834-44ed-a958-00af67652edd/

SH256 hash:

2847c490f325228a61de5f08b27b505a82eae5307c3c2713123a03f5fa3415b9

MD5 hash:

32a7cf2f2ab148fcc8ed618033f38b3a

SHA1 hash:

1f50a6d49b9b6671834babc87b353e3486aae8fb

Detections:

win_asyncrat_w0

WorldWindStealer

cn_utf8_windows_terminal

SUSP_NET_Msil_Suspicious_Use_StrReverse

asyncrat

win_asyncrat_bytecodes

win_asyncrat_unobfuscated

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_CC_Regex

INDICATOR_SUSPICIOUS_EXE_Discord_Regex

INDICATOR_SUSPICIOUS_EXE_References_VPN

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

MALWARE_Win_StormKitty

MALWARE_Win_Multi_Family_InfoStealer

MALWARE_Win_WorldWind

Link:

https://www.unpac.me/results/5ef21c53-6834-44ed-a958-00af67652edd/

SH256 hash:

b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

MD5 hash:

ec801a7d4b72a288ec6c207bb9ff0131

SHA1 hash:

32eec2ae1f9e201516fa7fcdc16c4928f7997561

Detections:

INDICATOR_EXE_Packed_Dotfuscator

INDICATOR_EXE_Packed_Goliath

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/5ef21c53-6834-44ed-a958-00af67652edd/

Parent samples :

c332bac5bfa6b4e806dbe65ff8b4041c7d931e6709349218f361437e1ae52c2f
261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e
b99cd41e40fa63ebe8efc4f1263d9fe3c0151a05ac580ee5421ca365f163e5ea
709f5ad2bad14a2c881948f0ddb7b7f67e1b91ef981541f735c6a90e34c566fb
1691f0ab36468cfed1f7ebead04c3b46c11c4d8614aed53ff7060e7e7d669a4c
3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6
bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
dc8decaba2fbe09e0ca95485ed06376e65ba7e77869868beecf8f937747a213f
4e57af02f430ffdacb81b8b597b251bac12de9c0703fb5325411dc83ca8d8e11
ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629

Malware family:

AsyncRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ec173f6992ea/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.threat.rip/file/ec173f6992ea6a8731f820a213610af9995283cfcd1860483855f5d69a1c7629

Cape

https://www.capesandbox.com/analysis/50266/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample