MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e9df8b0e7d9da0fe22890f3bc56e4a1cda4f05fd9ff4a4d011bef5e8008b45d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 19

Intelligence 19 IOCs YARA 18 File information Comments

SHA256 hash:	2e9df8b0e7d9da0fe22890f3bc56e4a1cda4f05fd9ff4a4d011bef5e8008b45d
SHA3-384 hash:	d2c1623471b474eb7ce32dd69321593199e89ad91f988da5f39dded29746f69506c52511e43b5271b3ebdb238698c57d
SHA1 hash:	9500b957bc2c10a574849c7c34611f8b70da69ad
MD5 hash:	00c18e4c9f1585f7f9f719784ef4f6c7
humanhash:	bacon-apart-uniform-skylark
File name:	XWormClient.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	35'840 bytes
First seen:	2025-10-01 12:05:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	768:FKM21ghR+XFYXKnUL1ZYOTFyn9i262OjhwSozC:FKM214RYiKULUqFK9i262Oja5zC
Threatray	1'821 similar samples on MalwareBazaar
TLSH	T126F22814B7904716DAEDAFF569F3A2010674D607E913EB4E0CE485CA6B67BC0CD423B6
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	AsyncRAT exe github-com--robertoaguilarfields-blip patients-apparatus-gl-at-ply-gg

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

XWormClient.exe

Verdict:

Malicious activity

Analysis date:

2025-10-01 12:18:13 UTC

Tags:

auto-reg xworm

Link:

https://app.any.run/tasks/63d5f25d-4ede-4d0d-8c99-c8e877a678ae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/29729/

Detection(s):

Win.Packed.njRAT-10002074-1

Win.Packed.Msilzilla-10019837-0

Win.Packed.Loveletter-10023052-0

Win.Dropper.Nanocore-10024427-0

Win.Packed.Loveletter-10024677-0

Win.Packed.Msilzilla-10026193-0

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL

ditekSHen.MALWARE.Win.XWorm.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68dd192b7d643f33eab916e1

Tags:

asyncrat dropper virus xworm

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Creating a window

Connection attempt to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm asyncrat bladabindi njrat obfuscated packed packer_detected rat vbnet xworm

Link:

https://www.filescan.io/uploads/68dd197d74e5a289899c2cf7/reports/b49082ff-fbbf-486b-bbca-02a682554cac/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/2e9df8b0e7d9da0fe22890f3bc56e4a1cda4f05fd9ff4a4d011bef5e8008b45d

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-19T08:58:00Z UTC

Last seen:

2025-10-01T11:07:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/2e9df8b0e7d9da0fe22890f3bc56e4a1cda4f05fd9ff4a4d011bef5e8008b45d/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/210e6970-3f1b-4082-a109-6c18aad3b19b

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2e9df8b0e7d9da0fe22890f3bc56e4a1cda4f05fd9ff4a4d011bef5e8008b45d

Gathering data

Detection:

xworm

Link:

https://mwdb.cert.pl/sample/2e9df8b0e7d9da0fe22890f3bc56e4a1cda4f05fd9ff4a4d011bef5e8008b45d/

Threat name:

ByteCode-MSIL.Spyware.AsyncRAT

Status:

Malicious

First seen:

2025-09-19 13:53:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

31 of 36 (86.11%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f2o7rmhh3hna7yrisdz3yvxeuhg2j4c73h7uutibdpxv5aaiwroq._file

Verdict:

malicious

Label(s):

xworm

AsyncRAT

2e9df8b0e7d9da0fe22890f3bc56e4a1cda4f05fd9ff4a4d011bef5e8008b45d

AsyncRAT

5690563f352546c1b818db1cd50746466ace06de9b6a3b4abc313878de8da365

AsyncRAT

b01f3e9d8a5f912424dce47d7490fdf68f81ffa319cb64266feed1c53fd5b702

AsyncRAT

db5ba574b6107181d23ff1cc5b20b6fd69a559c9b80c6ecd16466223567e472a

AsyncRAT

error

AsyncRAT

ff53ea407afca08ff7555f895686fb71cc858cfd51725efc6a678c2b202f31f4

AsyncRAT

+ 1'811 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm execution persistence rat trojan

Link:

https://tria.ge/reports/251001-paebkaep4t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

patients-apparatus.gl.at.ply.gg:6179

Verdict:

Malicious

Tags:

rat xworm Win.Packed.njRAT-10002074-1

YARA:

MALWARE_Win_XWorm win_mal_XWorm

Link:

https://app.threat.zone/submission/f493df1e-b454-4b5a-a497-1adff1993d8e

Unpacked files

SH256 hash:

2e9df8b0e7d9da0fe22890f3bc56e4a1cda4f05fd9ff4a4d011bef5e8008b45d

MD5 hash:

00c18e4c9f1585f7f9f719784ef4f6c7

SHA1 hash:

9500b957bc2c10a574849c7c34611f8b70da69ad

Detections:

win_xworm_w0

win_xworm_a0

XWorm

Link:

https://www.unpac.me/results/d74f5707-528d-4509-91a0-5b3e57805a65/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2e9df8b0e7d9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2e9df8b0e7d9da0fe22890f3bc56e4a1cda4f05fd9ff4a4d011bef5e8008b45d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ByteCode_MSIL_Backdoor_AsyncRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects AsyncRAT backdoor.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	win_xworm_w0 Create hunting rule
Author:	jeFF0Falltrades
Description:	Detects win.xworm.

Rule name:	xworm Create hunting rule
Author:	jeFF0Falltrades

Rule name:	XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	xworm_kingrat Create hunting rule
Author:	jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29729/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample