MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 499566a266167eafe01198dc8b92d73c7acd19c4a0a99707c2b5e67291ff4076. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 499566a266167eafe01198dc8b92d73c7acd19c4a0a99707c2b5e67291ff4076
SHA3-384 hash: 01841f15ed63599bcd46c5e92f899433077f405420eabb28ccfd77dd312c28ad37f6474385caee30ed83b536bf65e05c
SHA1 hash: edb864c8a3c6c920d8be12aa36bb5f079eb23b7f
MD5 hash: 3037747f4f35bc135c1392338e03cd01
humanhash: river-five-whiskey-robin
File name:499566a266167eafe01198dc8b92d73c7acd19c4a0a99707c2b5e67291ff4076.ps1
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:3'141 bytes
First seen:2025-05-31 05:31:28 UTC
Last seen:2025-05-31 05:52:30 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 96:E+wRMiSV8rR+IBXH3KDNgeLNXWlNf+8DLykJ:E3MrOdNKpLNXyfdDB
Threatray 1'462 similar samples on MalwareBazaar
TLSH T19B517BBD8B37EBC2676575C4000C374B12D5CB0BAF54AC0A95C42977A139ABEAF7802C
Magika powershell
Reporter JAMESWT_WT
Tags:ps1 rcglobo-duckdns-org

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PowerShell.Exec-11.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683a954dacf88f5815e972a1
Tags:
asyncrat autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm asyncrat backdoor base64 conhost.exe dropper fingerprint obfuscated opendir opendir powershell rat reconnaissance telegram xworm
Link:
https://www.filescan.io/uploads/683a9456fd02ed5e05916aef/reports/dc13578b-b207-4ed6-84e6-b13b9fd806c2/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/499566a266167eafe01198dc8b92d73c7acd19c4a0a99707c2b5e67291ff4076
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702846
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses the Telegram API (likely for C&C communication)
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1702846 Sample: BW9DC4BKfk.ps1 Startdate: 31/05/2025 Architecture: WINDOWS Score: 100 48 rcglobo.duckdns.org 2->48 50 api.telegram.org 2->50 52 rattynews.com 2->52 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 70 13 other signatures 2->70 10 powershell.exe 11 2->10         started        13 conhost.exe 2->13         started        15 conhost.exe 2->15         started        17 conhost.exe 2->17         started        signatures3 66 Uses dynamic DNS services 48->66 68 Uses the Telegram API (likely for C&C communication) 50->68 process4 signatures5 72 Encrypted powershell cmdline option found 10->72 74 Powershell drops PE file 10->74 19 powershell.exe 15 18 10->19         started        23 conhost.exe 10->23         started        process6 dnsIp7 54 rattynews.com 170.10.161.241, 49685, 80 STEADFASTUS United States 19->54 46 C:\Users\user\AppData\Roaming\conhost.exe, PE32 19->46 dropped 25 conhost.exe 15 5 19->25         started        file8 process9 dnsIp10 56 rcglobo.duckdns.org 176.65.141.36, 49693, 56001 WEBTRAFFICDE Germany 25->56 58 api.telegram.org 149.154.167.220, 443, 49692 TELEGRAMRU United Kingdom 25->58 76 Antivirus detection for dropped file 25->76 78 Multi AV Scanner detection for dropped file 25->78 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->80 82 3 other signatures 25->82 29 powershell.exe 23 25->29         started        32 powershell.exe 23 25->32         started        34 powershell.exe 25->34         started        36 2 other processes 25->36 signatures11 process12 signatures13 84 Loading BitLocker PowerShell Module 29->84 38 conhost.exe 29->38         started        40 conhost.exe 32->40         started        42 conhost.exe 34->42         started        44 conhost.exe 36->44         started        process14
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/499566a266167eafe01198dc8b92d73c7acd19c4a0a99707c2b5e67291ff4076
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/499566a266167eafe01198dc8b92d73c7acd19c4a0a99707c2b5e67291ff4076/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/499566a266167eafe01198dc8b92d73c7acd19c4a0a99707c2b5e67291ff4076
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-29 23:46:24 UTC
File Type:
Text (Batch)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jgkwnitgcz7k7yartdoixewxhr5m2goeucuzob6cwxthfep7ib3a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0903684851b55aab92a188c5cac4c225ddf0bc9d67434c977a6a510b3ffe0a0a
AsyncRAT
26820452d6f45063a5f396e9a4ffa4a1979a5a0e39afe5b4c96440baaa74c443
AsyncRAT
44f611726336cec3fa65ba287bf135af2cd43c6441ead65ce4a54c154ea80f90
AsyncRAT
4b60cc2b3d4b652eb9fa07324b40ddf65ed4f61f45a7ff903ac3d1687a096b90
AsyncRAT
717157d1d9377a0353d9a17f80c1a5571324851954cf381e58796d0ed7916ecc
AsyncRAT
9e635f3e25b5ef386e2ffb4facc56eb6c5394ee06fb58a03453d783ffec61933
AsyncRAT
+ 1'452 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution persistence rat trojan
Link:
https://tria.ge/reports/250531-f8btnagl6t/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
rcglobo.duckdns.org:56001
Dropper Extraction:
http://rattynews.com/blog/1.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/499566a266167eafe01198dc8b92d73c7acd19c4a0a99707c2b5e67291ff4076

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

PowerShell (PS) ps1 499566a266167eafe01198dc8b92d73c7acd19c4a0a99707c2b5e67291ff4076

(this sample)

AsyncRAT

Executable exe 0903684851b55aab92a188c5cac4c225ddf0bc9d67434c977a6a510b3ffe0a0a

  
Dropping
SHA256 0903684851b55aab92a188c5cac4c225ddf0bc9d67434c977a6a510b3ffe0a0a
  
Dropping
MD5 e0e19ef192c4fcc6f7120aeb88499e38
  
URLhaus
https://urlhaus.abuse.ch/url/3555782/
  
Delivery method
Distributed via web download

Comments