MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01821fae4f0849d6600c2f2b38c0cb400e688a37f8cdcccd8c8452d7ee5016e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 21 File information Comments

SHA256 hash:	01821fae4f0849d6600c2f2b38c0cb400e688a37f8cdcccd8c8452d7ee5016e5
SHA3-384 hash:	c9c014753da14f32518e6aa5746ffa511edc2653a2ae891f24cec5b232de6e7e77ff862e68473eb93693ca6bfeb372c7
SHA1 hash:	247549e10c189ab55396831787d7d619c77d6068
MD5 hash:	7ecdd19e2c7b309fe1e43aae80d1a265
humanhash:	vegan-bulldog-violet-saturn
File name:	file
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	225'319 bytes
First seen:	2026-05-16 11:56:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	183388b096f04db8679b00d085f87f72 (3 x AsyncRAT)
ssdeep	3072:UkY8yckIfPJWifvyA3yP+ITv57bbOb6Wt1dNYVO9YHhi331erdEs9Hb:2cVp/3yrTNbbObbfme31erdP
Threatray	1 similar samples on MalwareBazaar
TLSH	T1AE247C16B66951FDD1A7C5B4C9434942EA32388A4B60BEDF07904BB77E236E89F3C701
TrID	51.9% (.EXE) Win64 Executable (generic) (6522/11/2) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.9% (.EXE) Generic Win/DOS Executable (2002/3) 15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	54e64e AsyncRAT dropped-by-amadey exe

Bitsight

url: http://91.92.242.236/files-129312398/files/file_58e75d774ea83f95.exe

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

exe

Verdict:

Malicious activity

Analysis date:

2026-05-16 11:58:00 UTC

Tags:

auto-startup xworm remote

Link:

https://app.any.run/tasks/5c8b7196-fdb6-43a9-a332-cacc9f51c85f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/66108/

Detection(s):

SecuriteInfo.com.Variant.Formbook.18.93271846.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a085bb046d6967b3d90a7a0

Tags:

injection autorun dropper sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug microsoft_visual_cc overlay packed

Link:

https://www.filescan.io/uploads/6a085bab056ea44c4531a648/reports/e04e36f6-9937-4417-9148-7da7266bbf36/overview

Verdict:

Malicious

Labled as:

Formbook.Generic

Link:

https://www.hybrid-analysis.com/sample/01821fae4f0849d6600c2f2b38c0cb400e688a37f8cdcccd8c8452d7ee5016e5

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-05-16T09:17:00Z UTC

Last seen:

2026-05-17T18:22:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.Agentb.sb Trojan.Win32.Inject.sb Backdoor.MSIL.XWorm.jol Backdoor.MSIL.XWorm.b Backdoor.Agent.TCP.C&C

Link:

https://opentip.kaspersky.com/01821fae4f0849d6600c2f2b38c0cb400e688a37f8cdcccd8c8452d7ee5016e5/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/854cb292-cff5-4ee7-9182-ef8d3d0a5a40

Score:

90%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/01821fae4f0849d6600c2f2b38c0cb400e688a37f8cdcccd8c8452d7ee5016e5

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/7ecdd19e2c7b309fe1e43aae80d1a265

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/01821fae4f0849d6600c2f2b38c0cb400e688a37f8cdcccd8c8452d7ee5016e5/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/01821fae4f0849d6600c2f2b38c0cb400e688a37f8cdcccd8c8452d7ee5016e5

Threat name:

Win64.Backdoor.FormBook

Status:

Malicious

First seen:

2026-05-16 11:57:46 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=agbb7lspbbe5myamf4vtrqgliahgrcrx7dg4ztmmqrjnp3sqc3sq._file

Verdict:

malicious

Label(s):

xworm

Similar samples:

error

AsyncRAT

Gathering data

Unpacked files

SH256 hash:

01821fae4f0849d6600c2f2b38c0cb400e688a37f8cdcccd8c8452d7ee5016e5

MD5 hash:

7ecdd19e2c7b309fe1e43aae80d1a265

SHA1 hash:

247549e10c189ab55396831787d7d619c77d6068

Link:

https://www.unpac.me/results/a5c4d0a9-1bc0-402c-89b9-54b791010a56/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/01821fae4f08/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/01821fae4f0849d6600c2f2b38c0cb400e688a37f8cdcccd8c8452d7ee5016e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ByteCode_MSIL_Backdoor_AsyncRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects AsyncRAT backdoor.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	win_xworm_w0 Create hunting rule
Author:	jeFF0Falltrades
Description:	Detects win.xworm.

Rule name:	XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	xworm_kingrat Create hunting rule
Author:	jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

exe 01821fae4f0849d6600c2f2b38c0cb400e688a37f8cdcccd8c8452d7ee5016e5

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/66108/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample