MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
SHA3-384 hash: a4666f8d8664c5d1b6e0aa178fa1c007349df4197abf526d9accc132c94ec8d7c0add528dbf82a729b9ceda4c621153b
SHA1 hash: 04c1c126bf33d8d482375d84d891157ea6009c59
MD5 hash: 3b6a0296e223a2008aa5532e66eb45d1
humanhash: tennis-high-cola-wolfram
File name:Quote#Request20250000.pdf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:571'904 bytes
First seen:2025-12-05 01:55:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'598 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:crKr1psyTQmPoHsk94dzCFOGbkZ1+k5dDDs2nMU5C0aNdn8V9V1J87FVN5gl1G:hps0QmY3mGFOMs75lDxXFe8J1pG
TLSH T119C4CF987250B5AFC417DA3249A4ED74A6206D7B931BC20395E70DAFB90DAD7CF042F2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
192.227.217.229:17229

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.227.217.229:17229 https://threatfox.abuse.ch/ioc/1667439/

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/a9a64493-1656-4700-8053-78ed9e4ff823/
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
Quote#Request20250000.pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-12-05 01:57:21 UTC
Tags:
auto-sch-xml rat asyncrat remote netreactor snake keylogger evasion telegram stealer
Link:
https://app.any.run/tasks/061d3648-f284-4e5b-94ee-59235497ae3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42591/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69323b8c21e2f720d66c1d13
Tags:
underscore asyncrat
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
krypt masquerade obfuscated obfuscated packed unsafe vbnet
Link:
https://www.filescan.io/uploads/69323b89ff25e40750d42e5f/reports/a29c758c-679a-492d-bea4-ad36020bbd5b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-04T22:33:00Z UTC
Last seen:
2025-12-06T23:53:00Z UTC
Hits:
~1000
Detections:
Backdoor.MSIL.Crysan.c Trojan.MSIL.Taskun.sb HEUR:Trojan-Spy.MSIL.Noon.gen Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Taskun.sb Backdoor.MSIL.Crysan.sb Backdoor.MSIL.Crysan.d Backdoor.MSIL.Crysan.b PDM:Trojan.Win32.Generic PDM:Trojan.Win32.Badex.d
Link:
https://opentip.kaspersky.com/ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bd0db8bf-5394-478e-8ce5-5e8a5cd201cc
Result
Threat name:
AsyncRAT, PureLog Stealer, Snake Keylogg
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1826948
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Double Extension File Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1826948 Sample: Quote#Request20250000.pdf.exe Startdate: 05/12/2025 Architecture: WINDOWS Score: 100 144 reallyfreegeoip.org 2->144 146 api.telegram.org 2->146 148 9 other IPs or domains 2->148 158 Suricata IDS alerts for network traffic 2->158 160 Found malware configuration 2->160 162 Malicious sample detected (through community Yara rule) 2->162 168 21 other signatures 2->168 12 Quote#Request20250000.pdf.exe 7 2->12         started        16 oYcjGfUs.exe 2->16         started        18 usaVlYSsWvmb.exe 2->18         started        20 2 other processes 2->20 signatures3 164 Tries to detect the country of the analysis system (by using the IP) 144->164 166 Uses the Telegram API (likely for C&C communication) 146->166 process4 file5 136 C:\Users\user\AppData\...\fbJijnSywDRd.exe, PE32 12->136 dropped 138 C:\Users\...\fbJijnSywDRd.exe:Zone.Identifier, ASCII 12->138 dropped 140 C:\Users\user\AppData\Local\...\tmpAFEC.tmp, XML 12->140 dropped 142 C:\...\Quote#Request20250000.pdf.exe.log, ASCII 12->142 dropped 202 Uses schtasks.exe or at.exe to add and modify task schedules 12->202 204 Writes to foreign memory regions 12->204 206 Allocates memory in foreign processes 12->206 208 Adds a directory exclusion to Windows Defender 12->208 22 MSBuild.exe 1 6 12->22         started        26 powershell.exe 23 12->26         started        29 powershell.exe 23 12->29         started        31 schtasks.exe 1 12->31         started        210 Multi AV Scanner detection for dropped file 16->210 212 Injects a PE file into a foreign processes 16->212 33 schtasks.exe 16->33         started        35 MSBuild.exe 16->35         started        39 3 other processes 18->39 37 MSBuild.exe 20->37         started        41 6 other processes 20->41 signatures6 process7 dnsIp8 156 fexgmail.zapto.org 192.227.217.229, 17229, 49718, 49724 AS-COLOCROSSINGUS United States 22->156 128 C:\Users\user\AppData\Local\Temp\znldjj.exe, PE32 22->128 dropped 130 C:\Users\user\AppData\Local\Temp\rwsskr.exe, PE32 22->130 dropped 132 C:\Users\user\AppData\Local\Temp\bmumwv.exe, PE32 22->132 dropped 43 cmd.exe 22->43         started        46 cmd.exe 22->46         started        48 cmd.exe 22->48         started        184 Loading BitLocker PowerShell Module 26->184 50 conhost.exe 26->50         started        52 conhost.exe 29->52         started        54 conhost.exe 31->54         started        58 2 other processes 33->58 186 Tries to steal Mail credentials (via file / registry access) 37->186 188 Tries to harvest and steal browser information (history, passwords, etc) 37->188 56 conhost.exe 39->56         started        61 2 other processes 41->61 file9 signatures10 process11 file12 190 Suspicious powershell command line found 43->190 192 Bypasses PowerShell execution policy 43->192 63 powershell.exe 43->63         started        65 conhost.exe 43->65         started        67 powershell.exe 46->67         started        69 conhost.exe 46->69         started        80 2 other processes 48->80 134 C:\Users\user\AppData\Roaming\DVfsNSo.exe, PE32 58->134 dropped 194 Writes to foreign memory regions 58->194 196 Allocates memory in foreign processes 58->196 198 Adds a directory exclusion to Windows Defender 58->198 200 Injects a PE file into a foreign processes 58->200 71 powershell.exe 58->71         started        74 powershell.exe 58->74         started        76 MSBuild.exe 58->76         started        78 schtasks.exe 58->78         started        signatures13 process14 signatures15 82 rwsskr.exe 63->82         started        86 bmumwv.exe 67->86         started        180 Loading BitLocker PowerShell Module 71->180 88 conhost.exe 71->88         started        90 conhost.exe 74->90         started        182 Tries to steal Mail credentials (via file / registry access) 76->182 92 conhost.exe 78->92         started        process16 file17 124 C:\Users\user\AppData\Roaming\oYcjGfUs.exe, PE32 82->124 dropped 170 Multi AV Scanner detection for dropped file 82->170 172 Writes to foreign memory regions 82->172 174 Allocates memory in foreign processes 82->174 94 powershell.exe 82->94         started        97 powershell.exe 82->97         started        99 MSBuild.exe 82->99         started        110 2 other processes 82->110 126 C:\Users\user\AppData\...\usaVlYSsWvmb.exe, PE32 86->126 dropped 176 Adds a directory exclusion to Windows Defender 86->176 178 Injects a PE file into a foreign processes 86->178 102 powershell.exe 86->102         started        104 powershell.exe 86->104         started        106 MSBuild.exe 86->106         started        108 schtasks.exe 86->108         started        signatures18 process19 dnsIp20 214 Loading BitLocker PowerShell Module 94->214 112 conhost.exe 94->112         started        114 conhost.exe 97->114         started        150 checkip.dyndns.com 132.226.247.73, 49725, 49727, 49729 UTMEMUS United States 99->150 152 api.telegram.org 149.154.167.220, 443, 49751, 49761 TELEGRAMRU United Kingdom 99->152 154 reallyfreegeoip.org 172.67.177.134, 443, 49726, 49728 CLOUDFLARENETUS United States 99->154 216 Tries to steal Mail credentials (via file / registry access) 99->216 116 conhost.exe 102->116         started        118 conhost.exe 104->118         started        120 conhost.exe 108->120         started        122 conhost.exe 110->122         started        signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.83 Win 32 Exe x86
Link:
https://app.malva.re/file/3b6a0296e223a2008aa5532e66eb45d1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-12-05 01:55:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=77tczyatqhsx53wtrbeyzttdqa66r55jbe6qzg4p7aqrphlfv3xa._file
Verdict:
malicious
Label(s):
anarchypanelrat
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:vipkeylogger botnet:dec collection discovery execution keylogger persistence rat stealer
Link:
https://tria.ge/reports/251205-cb94eagr6s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
VIPKeylogger
Vipkeylogger family
Malware Config
C2 Extraction:
192.227.217.229:17229
fexgmail.zapto.org:17229
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8c9c9667-7e36-477d-b074-e44594f3fa49
Unpacked files
SH256 hash:
ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
MD5 hash:
3b6a0296e223a2008aa5532e66eb45d1
SHA1 hash:
04c1c126bf33d8d482375d84d891157ea6009c59
Link:
https://www.unpac.me/results/49149462-d1ad-46f6-b229-255ceb990dc9/
SH256 hash:
39623d9713aae08971352f773a2e70b2ed4955ba95e9ceb0b4122deda9e9adfc
MD5 hash:
28b9caa1587ff3b260a00ab87fac0346
SHA1 hash:
518e3f481d3801103148ff45c3561ce3dfc6ff4b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/49149462-d1ad-46f6-b229-255ceb990dc9/
SH256 hash:
65ff3c159e0d6207aca43001079c062646d480ff9558454ac5666d5c0921ff70
MD5 hash:
2cc742abf147d316fb4243482b739fa7
SHA1 hash:
768f08baf401a952f2eb27cb0e9476d34a48f05b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/49149462-d1ad-46f6-b229-255ceb990dc9/
Parent samples :
6e2b1a9ba0fb924774b35d3fe97e5ee232de78f7292fd7a79c678d6de974751a
d4ac4a98170b7b5606fc03e625be2973bd0f4ad38c653ba4db1558fead88dc0a
f50d4bf5151fc2f9f89ff48f4ead9ea615bc85a951b88a6d83d0dd53bd17a942
e3733d68078f927a67479fded197bf45287c17a775da4c81d3b3d4853e57d1f4
bfe8597cf704cb576063e7883146c8af4f384521ddc1ecb059d91d58480bc265
0b67d298c72d5ce44862870a253e2fae7011e9bb615b4edb17fee6227f252819
ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
de0892e8c62f21f2fb6669f8b4bf28a7bd9c014cc5820735491c44ce93fe0f09
549a2ef27e60dc1550032622ce3c85b5b5b3fdceabdfc318342f1c24e55614bf
50aef9fefe23240506ef807c00fd6cd89ef912d98127db467bdb0823a3677721
SH256 hash:
1e0db4851929ce23b77784dba259d11de3f39075913d43fd9c60c4c689134c29
MD5 hash:
2cc9788ad7327fafe1812c475e6c1b7d
SHA1 hash:
cddf92e688d45974a30f1756f3e5d03c3392b4d3
Detections:
win_asyncrat_w0
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
asyncrat
Create hunting rule
win_asyncrat_bytecodes
Create hunting rule
Link:
https://www.unpac.me/results/49149462-d1ad-46f6-b229-255ceb990dc9/
Parent samples :
f50d4bf5151fc2f9f89ff48f4ead9ea615bc85a951b88a6d83d0dd53bd17a942
ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ffe62ce01381/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffe62ce01381e57eeed388498cce63803de8f7a9093d0c9b8ff821179d65aeee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/42591/

Comments