MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47e562e883c3f67160cb4f8be4f4ba5cf83dbc39d29cb85eda03326b8d37a1c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	47e562e883c3f67160cb4f8be4f4ba5cf83dbc39d29cb85eda03326b8d37a1c2
SHA3-384 hash:	84561f7b990aa3b21973efdc4dd78a9a3d52e7e179fa4eac37b6833f2f76a55336924b5377a9800a5258b476907ccf8a
SHA1 hash:	84ba3ad2e6fb3105bc9c4f76047cbe408d14f469
MD5 hash:	76f4a86de72c47124557a0058e4b9b67
humanhash:	violet-network-uranus-happy
File name:	47e562e883c3f67160cb4f8be4f4ba5cf83dbc39d29cb85eda03326b8d37a1c2
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	794'624 bytes
First seen:	2026-05-08 12:48:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'920 x AgentTesla, 19'821 x Formbook, 12'309 x SnakeKeylogger)
ssdeep	12288:2GGZw5e7lHeAW1gjuyKL7c2toTwQAroz+WbqZhBMFW+ZVLVwy4n2rSEqqwhbg:bGW0JpuyKLw230z+2FW+XVwyDSEqX
Threatray	763 similar samples on MalwareBazaar
TLSH	T1DBF40101A2B8DB1AE4BF9BF82DB1E03403B96C8EA521C64A4FD57EDFB535B100A45743
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/26f3ed7d-1bcb-48c6-9552-ef900b941701/

Malware family:

n/a

ID:

File name:

PAYMENT CONFIRMATION03_26.zip

Verdict:

Malicious activity

Analysis date:

2026-04-09 12:29:18 UTC

Tags:

arch-doc xworm remote susp-lnk

Link:

https://app.any.run/tasks/4d01a9fc-2947-47de-86bc-4d7de832775a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/65151/

Detection(s):

SecuriteInfo.com.W32.MSIL_Agent.JZL.gen.Eldorado.18471.25964.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Connection attempt to an infection source

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context crypt packed ransomware vbnet

Link:

https://www.filescan.io/uploads/69fddbc5df14f1cb2acdcc1b/reports/91548c4a-7ffa-4965-82c6-5254fe610e6c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/47e562e883c3f67160cb4f8be4f4ba5cf83dbc39d29cb85eda03326b8d37a1c2

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-04-09T06:48:00Z UTC

Last seen:

2026-05-10T04:01:00Z UTC

Hits:

~10000

Detections:

Backdoor.MSIL.XWorm.b Trojan-PSW.Win32.Stealer.sb PDM:Trojan.Win32.Generic Backdoor.MSIL.XWorm.a Backdoor.Agent.TCP.C&C Trojan.MSIL.Agent.sb HEUR:Trojan.MSIL.Cryptos.gen VHO:Backdoor.Win32.Agent.gen Trojan.MSIL.Crypt.sb Backdoor.MSIL.XWorm.c Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb

Link:

https://opentip.kaspersky.com/47e562e883c3f67160cb4f8be4f4ba5cf83dbc39d29cb85eda03326b8d37a1c2/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b0496238-9eb4-47bf-9077-5e33e541f9e5

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/47e562e883c3f67160cb4f8be4f4ba5cf83dbc39d29cb85eda03326b8d37a1c2

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/47e562e883c3f67160cb4f8be4f4ba5cf83dbc39d29cb85eda03326b8d37a1c2/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2026-04-09 10:02:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Verdict:

malicious

Label(s):

xworm

AsyncRAT

87ffe7535f7e221d713ce338cb8f1ad3481c6a1a48932203f1658d6a1cd1c201

AsyncRAT

9b8d72d1a03fbc62aceda0d7e071474fa88f81624ce6aed1fd77f4197cd96305

AsyncRAT

9fe7289e6e6eff48961ebe44aed0440e21d35702da284c34f4ef8c37b6ad7419

AsyncRAT

+ 753 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution rat trojan

Link:

https://tria.ge/reports/260508-p3spnacy8q/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Drops startup file

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Family: Xworm

Malware Config

C2 Extraction:

178.16.52.78:7777

Unpacked files

SH256 hash:

47e562e883c3f67160cb4f8be4f4ba5cf83dbc39d29cb85eda03326b8d37a1c2

MD5 hash:

76f4a86de72c47124557a0058e4b9b67

SHA1 hash:

84ba3ad2e6fb3105bc9c4f76047cbe408d14f469

Link:

https://www.unpac.me/results/053f54d0-6289-46a4-9741-aaf4d748c885/

SH256 hash:

7d3aeb42939734fb6031c9a5df939e92a5430107e48adb9e9ba7449996d4b6ed

MD5 hash:

0d016d1826a8b3318a90bda23e8b5cb7

SHA1 hash:

0f7ea70b131217ec310a6df95b2771127c9ec41f

Link:

https://www.unpac.me/results/053f54d0-6289-46a4-9741-aaf4d748c885/

SH256 hash:

5280afc604370ff52e2a3815c608a3207d58183529ed5acde2beeb18901748bd

MD5 hash:

4f58f46fbfec85786dcfedfebadee4fe

SHA1 hash:

9a7d42954727722e2f539daef39fd3ade71e58e4

Link:

https://www.unpac.me/results/053f54d0-6289-46a4-9741-aaf4d748c885/

SH256 hash:

85f46e7ba5b25d383038518d144b70c52b556f30f946330bff61679cb26af9b9

MD5 hash:

76f48dfd43d9641916dde4def0d25f11

SHA1 hash:

e82c232765bc709a4f18312a0e13aeee39deb03c

Detections:

win_xworm_w0

XWorm

Link:

https://www.unpac.me/results/053f54d0-6289-46a4-9741-aaf4d748c885/

Parent samples :

7df90390f5084407f21616f21c644ea9d354efb5d0b254a7f528ab8064457e36
da315d9c9c5c31c1cbfdcdbe673b94f236ad46afb6261ee7b22fea878b97a4e5
030967003eace6864210b5ac969bd55e91eda783aa60869fe6ff6dae00ee9c96
4fcbe167dcd88e72b52ed43a3bc0b27d3a68f64efbd1f23e0113cd9f55a55f12
bdd6ca44065c5b1f9866eda1b84cfec8e1abe42b739e7c776a9b5e67646d9edc
7e6683cd7621fc823d9c034c99526c914221f2a28a5571ccbfb8ea10069e8b41
cb90f55f8558abb13b7480d61fb30341df3f068250d7e13d8bfbc6419a36a4a6
47e562e883c3f67160cb4f8be4f4ba5cf83dbc39d29cb85eda03326b8d37a1c2

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/47e562e883c3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/47e562e883c3f67160cb4f8be4f4ba5cf83dbc39d29cb85eda03326b8d37a1c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/65151/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample