MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05ce9e030ca6e12da3c8dbe80b6b65131448b694980223b548cba07f0bba4292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05ce9e030ca6e12da3c8dbe80b6b65131448b694980223b548cba07f0bba4292
SHA3-384 hash: b0c2be3d8674ee2c2f5ae797dad00766231f9d19dc53e18ac7c3b6ac2a1edbd9aab572c21436bf018e4ac4fae2b163cd
SHA1 hash: 4ba9bb58dbecf5f2afd0dc70d6eaa55bd0ac1ae2
MD5 hash: 28963018c4addb12d84d7fdfa95f8143
humanhash: december-foxtrot-king-eleven
File name:vvv.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'240 bytes
First seen:2025-11-30 19:25:03 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:Q2+O9OD6A/VYFp4/WT/DXT/VYAAZTQRtBZTUphfz9ZTnUMkWTX:qO9ODrVYFi/CrrVYAn9UptfnHj
Threatray 2'107 similar samples on MalwareBazaar
TLSH T15B215912ABF60204F7B3BE54BE795431093B7E65EE3ADA4E40444D0E1871A18D9B0F63
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter smica83
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41952/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692c9a24fca025d00d471585
Tags:
asyncrat shell micro remo
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 config-extracted dropper fingerprint powershell reconnaissance svchost.exe xworm
Link:
https://www.filescan.io/uploads/692c9a22efb20563535977e0/reports/c5377841-4fff-4371-9498-78344175ceb0/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/05ce9e030ca6e12da3c8dbe80b6b65131448b694980223b548cba07f0bba4292
Verdict:
Malicious
File Type:
vbs
First seen:
2025-11-30T16:31:00Z UTC
Last seen:
2025-12-01T07:03:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.JS.SLoad.sb Trojan.Win32.Dizemp.sb Trojan.Win32.Agent.sb HEUR:Trojan.Script.Generic Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.b Backdoor.Agent.TCP.C&C PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.XWorm.gen Backdoor.MSIL.XWorm.a HEUR:Backdoor.MSIL.XClient.b
Link:
https://opentip.kaspersky.com/05ce9e030ca6e12da3c8dbe80b6b65131448b694980223b548cba07f0bba4292/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1823141
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Disables Windows Defender (via service or powershell)
Drops PE files with benign system names
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1823141 Sample: vvv.vbs Startdate: 30/11/2025 Architecture: WINDOWS Score: 100 40 maxfor0214-41192.portmap.host 2->40 42 bursahotelphuket.com 2->42 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 13 other signatures 2->52 8 wscript.exe 1 2->8         started        signatures3 process4 signatures5 62 VBScript performs obfuscated calls to suspicious functions 8->62 64 Suspicious powershell command line found 8->64 66 Wscript starts Powershell (via cmd or directly) 8->66 68 5 other signatures 8->68 11 powershell.exe 12 8->11         started        13 powershell.exe 27 8->13         started        16 powershell.exe 14 16 8->16         started        20 powershell.exe 28 8->20         started        process6 dnsIp7 22 svchost.exe 2 11->22         started        26 conhost.exe 11->26         started        70 Drops PE files with benign system names 13->70 72 Loading BitLocker PowerShell Module 13->72 74 Powershell drops PE file 13->74 28 conhost.exe 13->28         started        30 WmiPrvSE.exe 13->30         started        38 bursahotelphuket.com 172.67.211.184, 443, 49685 CLOUDFLARENETUS United States 16->38 36 C:\Users\user\AppData\Roaming\svchost.exe, PE32 16->36 dropped 32 conhost.exe 16->32         started        34 conhost.exe 20->34         started        file8 signatures9 process10 dnsIp11 44 maxfor0214-41192.portmap.host 193.161.193.99, 41192, 49688 BITREE-ASRU Russian Federation 22->44 54 Antivirus detection for dropped file 22->54 56 System process connects to network (likely due to code injection or exploit) 22->56 58 Multi AV Scanner detection for dropped file 22->58 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->60 signatures12
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/05ce9e030ca6e12da3c8dbe80b6b65131448b694980223b548cba07f0bba4292
Verdict:
Malware
YARA:
1 match(es)
Tags:
DeObfuscated PowerShell
Link:
https://app.malva.re/file/28963018c4addb12d84d7fdfa95f8143
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05ce9e030ca6e12da3c8dbe80b6b65131448b694980223b548cba07f0bba4292/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/05ce9e030ca6e12da3c8dbe80b6b65131448b694980223b548cba07f0bba4292
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-30 12:20:23 UTC
File Type:
Text (VBS)
AV detection:
3 of 38 (7.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=axhj4aymu3qs3i6i3puaw23fcmkernuutabchnkizoqh6c52ikja._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
17cb673e636e991b3df0929c5704022acc9491a3a63d4375b3f8a063ab5eafba
AsyncRAT
32bd0facd51f470e833edf85d93e2c36e90e2ff7824c981d795950d92663cd05
AsyncRAT
a86aec200ab50bc3a739feb4954f02ab7ff503d02650ba50d154a25da92e8478
AsyncRAT
be47b60d0203fbf8aac0aabee21f7aa2e90ca5d17363576c3ee9b1d6efd63f14
AsyncRAT
cc4f4e1466183b11cfda923915e34cfd338cbf87a656d911120ceb784846d334
AsyncRAT
e59f8ad1238df3f4da6140834e44391806267bd15b1b6d14efdfaa131b35da09
AsyncRAT
e75983a3e7de409a67f9cb4d29aeae676234e4ff9a0731f932b68e653c64e0fe
AsyncRAT
error
AsyncRAT
+ 2'097 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:stormkitty family:xworm discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251130-x45dvaaz8e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
StormKitty
StormKitty payload
Stormkitty family
Xworm
Xworm family
Malware Config
C2 Extraction:
maxfor0214-41192.portmap.host:41192
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05ce9e030ca6e12da3c8dbe80b6b65131448b694980223b548cba07f0bba4292

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

Visual Basic Script (vbs) vbs 05ce9e030ca6e12da3c8dbe80b6b65131448b694980223b548cba07f0bba4292

(this sample)

AsyncRAT

Executable exe 17cb673e636e991b3df0929c5704022acc9491a3a63d4375b3f8a063ab5eafba

Cape
Cape
https://www.capesandbox.com/analysis/41952/
  
Dropping
SHA256 17cb673e636e991b3df0929c5704022acc9491a3a63d4375b3f8a063ab5eafba
  
Dropping
MD5 11532619ca9fd44b140cb7ef7b69476d

Comments