MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080
SHA3-384 hash:	3056278167c6bd4d9adba00e9d18239c96c4f44b4eeeea9c94b2d5b1f12b7b4db2e76a6ba943b1afd164f5931fe598e4
SHA1 hash:	3f45a4787f77e43f9c609fbe0a34600242361dac
MD5 hash:	e8bd1d4b441205ec2116e1acea654eca
humanhash:	stairway-bulldog-paris-pip
File name:	SKM_C300i2510201438065959565985959595959_65535656535.PDF.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	540'160 bytes
First seen:	2025-10-21 04:25:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:xBBf7+ny1Ouo0k1C++9RBiejeMtiaFgTn:xvf75DoNDqb9uL
TLSH	T135B4F1686B5EED12C9D15BB008A0E3B26334CE4DD520D6038FEAADDBB469F56385D2C1
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	threatcat_ch
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SKM_C300i2510201438065959565985959595959_65535656535.PDF.exe

Verdict:

Malicious activity

Analysis date:

2025-10-21 04:27:43 UTC

Tags:

auto-startup remote xworm

Link:

https://app.any.run/tasks/8f188688-ef40-4b95-8a41-e374c4fa2ec2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/33553/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f70b7b3edd081eba403f68

Tags:

autorun keylog micro word

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Creating a file in the %AppData% directory

Using the Windows Management Instrumentation requests

Sending a TCP request to an infection source

Setting a global event handler for the keyboard

Connection attempt to an infection source

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed vbnet

Link:

https://www.filescan.io/uploads/68f70b773a79800405ed7fab/reports/8df376bb-eb40-488b-a2ed-ab440dbc66c0/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-21T00:42:00Z UTC

Last seen:

2025-10-23T02:23:00Z UTC

Hits:

~1000

Detections:

PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan-Downloader.MSIL.Starpast.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.a HEUR:Trojan-Spy.MSIL.Noon.gen Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.b

Link:

https://opentip.kaspersky.com/2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d0f2cf58-3ee2-4625-9ad9-f2af09c16c5c

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1798812

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.16 Win 32 Exe x86

Link:

https://app.malva.re/file/e8bd1d4b441205ec2116e1acea654eca

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2025-10-21 04:26:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ftliy47ua6ui2kohlgnee73up5hwq3orfqz35fsytve7f6dz2caa._file

Verdict:

malicious

Label(s):

unc_loader_037

xworm

Similar samples:

error

AsyncRAT

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery rat trojan

Link:

https://tria.ge/reports/251021-e2scdse12b/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Drops startup file

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

104.250.180.178:7061

Unpacked files

SH256 hash:

2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080

MD5 hash:

e8bd1d4b441205ec2116e1acea654eca

SHA1 hash:

3f45a4787f77e43f9c609fbe0a34600242361dac

Link:

https://www.unpac.me/results/6ca8bd48-781f-4bc8-a87e-72271b1edbd2/

SH256 hash:

b75c0b441c294e78ed00afecc3a6a61d5bca7b8c3315dffd62760d3352f6a6ba

MD5 hash:

20c1b580014f31baa3a4c87fe8c5d090

SHA1 hash:

31728a784ec7c8cb8d66d41ce3ec0e5cf53acd92

Detections:

win_xworm_a0

win_xworm_w0

XWorm

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/6ca8bd48-781f-4bc8-a87e-72271b1edbd2/

Parent samples :

e64ad2ba0b6bc73561dfa9bf388160eb50e98463f9a4984d5e315bb3c0b0f4ad
2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080
f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495
b8c503270d33ed23ceeaa85d67c5621b050053199d6d12b1c27b339083bf14f0
50bc637d09d5520923e70f25d7325483f81a00061f883278bd68b94d93917d9c
4e12323d957c2b29d873e8ac7acd749b18c2f862fdeb28503041ccb1cbac9f22

SH256 hash:

9f2bdadb8926bf6157c7487e994ec28657f9415fd2fdf97a5ba82ba12e24046a

MD5 hash:

0e1119a6df48b550ad1353d136297ef3

SHA1 hash:

3f89b2297c1e0a29932eb25741a51538e005d565

Link:

https://www.unpac.me/results/6ca8bd48-781f-4bc8-a87e-72271b1edbd2/

SH256 hash:

1d377de31f7b2a2a7322523d02fa93fe2f51e8874acc645de985080768cd7350

MD5 hash:

0ed26371c62366497aa66785c4695b1e

SHA1 hash:

870d98e356e12cabed448ed5f75c9c2271a6ae95

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/6ca8bd48-781f-4bc8-a87e-72271b1edbd2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

exe 2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/33553/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample