MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51cf4209be2c160f3182f2488e68eec40edd7e9f9f76224fa4b66d4ec74a35bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51cf4209be2c160f3182f2488e68eec40edd7e9f9f76224fa4b66d4ec74a35bd
SHA3-384 hash: 39776decaa3c93a274cdc23963b0294b9b83e8ccc09c632d1e06ed1425f39d22b147db9a39ba3e5bf3c2f0f9e260e12a
SHA1 hash: fdd260f303aba9acd08772b397fa05d4820413b8
MD5 hash: 49cb9069b85abb848febad5884d61a5f
humanhash: hot-sierra-queen-don
File name:WhatsApp IMG 07-05-26 Payment advice.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'875'612 bytes
First seen:2026-05-08 10:35:02 UTC
Last seen:2026-05-11 12:39:45 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/csv
ssdeep 768:7uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuT:H
Threatray 95 similar samples on MalwareBazaar
TLSH T149D5AF315E84BAB0D3DB01E3F514D99DE5EE671B290DEEC9C1EA4D0523808F89CDD4AA
Magika txt
Reporter abuse_ch
Tags:AsyncRAT RAT vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
21
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64966/
Detection(s):
Sanesecurity.Rogue.0hr.20260507-1932.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32560.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Agent-106.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
GT:VB.Heur2.ZBot.3
Link:
https://www.hybrid-analysis.com/sample/51cf4209be2c160f3182f2488e68eec40edd7e9f9f76224fa4b66d4ec74a35bd
Verdict:
Malicious
File Type:
text.utf8
First seen:
2026-05-07T08:14:00Z UTC
Last seen:
2026-05-10T08:34:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/51cf4209be2c160f3182f2488e68eec40edd7e9f9f76224fa4b66d4ec74a35bd/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1910720
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected malicious Powershell script
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates processes via WMI
Detected large data written to user environment variables, potentially indicating payload staging for fileless execution
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Copy file to startup via Powershell
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1910720 Sample: WhatsApp IMG 07-05-26 Payme... Startdate: 08/05/2026 Architecture: WINDOWS Score: 100 105 tradedsglobal.com 2->105 107 keyauth.win 2->107 117 Suricata IDS alerts for network traffic 2->117 119 Found malware configuration 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 20 other signatures 2->123 11 powershell.exe 14 15 2->11         started        15 wscript.exe 1 1 2->15         started        17 wscript.exe 1 1 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 dnsIp5 111 tradedsglobal.com 45.136.5.4, 49683, 49690, 80 AS209737TR Turkey 11->111 143 Writes to foreign memory regions 11->143 145 Potential dropper URLs found in powershell memory 11->145 147 Injects a PE file into a foreign processes 11->147 21 CasPol.exe 3 10 11->21         started        26 conhost.exe 11->26         started        149 Suspicious powershell command line found 15->149 151 Wscript starts Powershell (via cmd or directly) 15->151 153 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->153 157 3 other signatures 15->157 28 powershell.exe 13 15->28         started        155 Detected large data written to user environment variables, potentially indicating payload staging for fileless execution 17->155 30 powershell.exe 17->30         started        113 127.0.0.1 unknown unknown 19->113 signatures6 process7 dnsIp8 109 103.83.86.92, 3333, 49689, 49691 GELEXIY-AS-INGelexiyCabNetIN India 21->109 97 C:\Users\user\AppData\...\o1sjcdnp55f.exe, PE32+ 21->97 dropped 99 C:\Users\user\AppData\...\lpfzos2uy0r.ps1, ASCII 21->99 dropped 129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->129 131 Encrypted powershell cmdline option found 21->131 133 Tries to harvest and steal browser information (history, passwords, etc) 21->133 135 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 21->135 32 powershell.exe 21->32         started        36 csc.exe 4 21->36         started        38 csc.exe 3 21->38         started        46 3 other processes 21->46 101 WhatsApp IMG 07-05...vbs:Zone.Identifier, ASCII 28->101 dropped 103 WhatsApp IMG 07-05-26 Payment advice.vbs, CSV 28->103 dropped 137 Drops VBS files to the startup folder 28->137 40 conhost.exe 28->40         started        139 Writes to foreign memory regions 30->139 141 Injects a PE file into a foreign processes 30->141 42 conhost.exe 30->42         started        44 CasPol.exe 30->44         started        file9 signatures10 process11 file12 81 C:\Users\user\AppData\...\vbe0laiq.cmdline, Unicode 32->81 dropped 115 Suspicious powershell command line found 32->115 48 powershell.exe 32->48         started        50 csc.exe 32->50         started        53 conhost.exe 32->53         started        83 C:\Users\user\AppData\Local\Temp\CasPol.exe, PE32 36->83 dropped 55 conhost.exe 36->55         started        57 cvtres.exe 36->57         started        59 conhost.exe 38->59         started        61 cvtres.exe 38->61         started        63 conhost.exe 46->63         started        65 cvtres.exe 46->65         started        signatures13 process14 file15 67 o1sjcdnp55f.exe 48->67         started        71 csc.exe 48->71         started        73 conhost.exe 48->73         started        85 C:\Users\user\AppData\Local\...\vbe0laiq.dll, PE32 50->85 dropped 75 cvtres.exe 50->75         started        process16 file17 87 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 67->87 dropped 89 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 67->89 dropped 91 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 67->91 dropped 95 58 other malicious files 67->95 dropped 125 Antivirus detection for dropped file 67->125 127 Multi AV Scanner detection for dropped file 67->127 77 o1sjcdnp55f.exe 67->77         started        93 C:\Users\user\AppData\Local\...\txx3mhvt.dll, PE32 71->93 dropped 79 cvtres.exe 71->79         started        signatures18 process19
Score:
93%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/51cf4209be2c160f3182f2488e68eec40edd7e9f9f76224fa4b66d4ec74a35bd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51cf4209be2c160f3182f2488e68eec40edd7e9f9f76224fa4b66d4ec74a35bd/
Threat name:
Win32.Infostealer.Zeus
Create hunting rule
Status:
Malicious
First seen:
2026-05-07 13:08:16 UTC
File Type:
Binary
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=khhuecn6fqla6mmc6jei42hoyqhn27u7t53cet5ewzwu5r2kgw6q._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
2784de2c816381a25b4189510fe39760e1965e8405ea7e0237b70a69a53f2b8c
AsyncRAT
4c986689a876db9c727d0b2e29bcfd8d175b2126d4a5caca731475111e0253de
AsyncRAT
4faae28a520d3256654c241632fe3c0691972e3201829beac2f5ce92c955bed2
AsyncRAT
53677cc49eec8b73ed8262ef82e09f43a38f75784a1efd915a3a3534e10c693e
AsyncRAT
6d2e5ab52d3ad9b96526c3ca342c68490ee86e515bed8c9d865ed89735a8802c
AsyncRAT
860d5d42d8fe1e1e4da37b4373a40826b6164d0ae092b6a81cdac85f46b0f878
AsyncRAT
96bb07a3305cc71592b8dd0a6c370b1e8604c43f8977f216f9caed99131cd7e0
AsyncRAT
98a62848ba69cb645343aaabccc2669c5ed6d72d32c0251847c6cbb1e56a8bc8
AsyncRAT
+ 85 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery execution pyinstaller rat spyware stealer trojan upx
Link:
https://tria.ge/reports/260508-pmsdyscw5r/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
UPX packed file
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Process spawned unexpected child process
Malware Config
C2 Extraction:
103.83.86.92:3333
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51cf4209be2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51cf4209be2c160f3182f2488e68eec40edd7e9f9f76224fa4b66d4ec74a35bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_XWorm_b7d6eaa8
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_bytestring
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytestring present in unobfuscated xworm
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/64966/

Comments