MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e
SHA3-384 hash: a14b0ba5127015d783a7b7d0b91ef41953c05b9411c6861127d9c5f16dc2f131f17147f037d0a667e236cea4317caab4
SHA1 hash: 0a7526959015721d87982f7c145a0741aa53b117
MD5 hash: b32c6a7aa90dec9cf15add530fd0cb9f
humanhash: fruit-lithium-salami-early
File name:System Properties.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:118'784 bytes
First seen:2025-09-17 14:48:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:4wDyV3GAg/R+FF49fNOC/091yBd0+eGMbacBcAUAHHLVOXrxkVUHOJgKwyPjfOs:fbR+FF49fNOCSkEhbacBc60Xr7uJdzT
Threatray 1'783 similar samples on MalwareBazaar
TLSH T1DEC3D04837A04221D9BD6B7418B3A7760331FF0B9913EB4E08D5E75B2F737808A456E2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Launcher.exe
Verdict:
Malicious activity
Analysis date:
2025-09-06 22:34:24 UTC
Tags:
auto-startup auto-reg auto-sch crypto-regex xworm generic stealer stormkitty
Link:
https://app.any.run/tasks/82da13f2-a3d3-4ebe-8559-cea8a9fd6a1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27953/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68caca5988b95443924741f5
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Launching a process
Creating a process with a hidden window
Creating a window
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-06T02:38:00Z UTC
Last seen:
2025-09-06T02:38:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59be4567-e93b-4eed-bcac-2911d629e4b2
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779363
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779363 Sample: System Properties.exe Startdate: 17/09/2025 Architecture: WINDOWS Score: 100 29 aiopal.camdvr.org 2->29 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 14 other signatures 2->39 8 System Properties.exe 1 6 2->8         started        13 System Properties.exe 1 2->13         started        15 System Properties.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 31 aiopal.camdvr.org 45.241.132.125, 4242, 49687 LINKdotNET-ASEG Egypt 8->31 25 C:\ProgramData\System Properties.exe, PE32 8->25 dropped 41 Protects its processes via BreakOnTermination flag 8->41 19 schtasks.exe 1 8->19         started        21 WerFault.exe 19 16 8->21         started        27 C:\Users\user\...\System Properties.exe.log, CSV 13->27 dropped file6 signatures7 process8 process9 23 conhost.exe 19->23         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e
Verdict:
njRat
YARA:
18 match(es)
Tags:
.Net Executable Managed .NET njRat PE (Portable Executable) PE File Layout RAT SOS: 0.24 Win 32 Exe x86 XWorm
Malware Config
C2 Extraction:
CNC: aiopal.camdvr.org
PORT: 4242
Link:
https://app.malva.re/file/b32c6a7aa90dec9cf15add530fd0cb9f
Detection:
xworm
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e/
Threat name:
Win32.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-09-06 14:50:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
31 of 36 (86.11%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hznvh6fqd2pk6vgjq6p4qmxt64pgwb4ln5gkzsj4vuc6fix7ampa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
82f320b21342c883ecfdca917e16e98c0ddbfbf118f54b817aa9bfa20ed29e12
AsyncRAT
9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b
AsyncRAT
f7cc6a50776a88bdea2d58c6d89694af75adc95e5fa377f53738298922c97996
AsyncRAT
f83e8dc1abb15f1aacfa5f9909f51b8e944eeed29ce63049b00d0dd2477c4dbd
AsyncRAT
+ 1'773 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution persistence rat trojan
Link:
https://tria.ge/reports/250917-r663ka1tdx/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
aiopal.camdvr.org:4242
Verdict:
Unknown
Tags:
rat xworm
YARA:
MALWARE_Win_XWorm win_mal_XWorm win_xworm_bytestring
Link:
https://app.threat.zone/submission/bcb976f6-9fa1-4ddc-9dae-5990fa096dcb
Unpacked files
SH256 hash:
3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e
MD5 hash:
b32c6a7aa90dec9cf15add530fd0cb9f
SHA1 hash:
0a7526959015721d87982f7c145a0741aa53b117
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/1c554fc2-3a15-4868-8809-4c2ca34fac37/
Parent samples :
9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Trojan_XWorm_b7d6eaa8
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_bytestring
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytestring present in unobfuscated xworm
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

Executable exe 53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9

AsyncRAT

Executable exe 3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e

(this sample)

  
Dropped by
SHA256 53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
Cape
Cape
https://www.capesandbox.com/analysis/27953/
  
Dropped by
MD5 5a766fb66446e2c4d436167ef0944eb1

Comments