MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60e469c8d8423b4f4a11c3ff2e217e7c3b7a8d2d65f01c58db75227e751c0f5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60e469c8d8423b4f4a11c3ff2e217e7c3b7a8d2d65f01c58db75227e751c0f5e
SHA3-384 hash: 16d4fdc533a2215a8f62e801f03d313143ef53d4aaaa6bbdf42e9e1cac8c15247f55c369f3eb4c1ef47482c91143b493
SHA1 hash: 50287d927e66c4f6a578bfaeb660f688bc6913f5
MD5 hash: a2805fcc8241bef34cba7005a4c38015
humanhash: snake-jig-december-skylark
File name:SecuriteInfo.com.Win32.MalwareX-gen.27720.13489
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:579'488 bytes
First seen:2025-06-03 22:20:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d4b05170ea1a9a5c6b21bc3ea6061fea (2 x RustyStealer, 1 x AsyncRAT)
ssdeep 6144:9BQgbEeKe1H9NIuZ2mK9K+TUakhvP4VGqeRnfElydhSKQ6JuWxBB2qzH6T/qcH:9keHFNKZYpX7fcydhGsuWQqzH63H
Threatray 4 similar samples on MalwareBazaar
TLSH T163C45A0EF6B19098C57E0D362C7E536083765A269F435FBB4BD8366017B24A27F3A538
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 2c5939e1f9b56468 (1 x RustyStealer, 1 x AsyncRAT)
Reporter SecuriteInfoCom
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
409
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7157/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683f779807b5e8c1cfe476aa
Tags:
shellcode injection obfusc
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Connection attempt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm expired-cert microsoft_visual_cc redcap rust signed
Link:
https://www.filescan.io/uploads/683f7536985349514e5fcba2/reports/93219690-f080-49bc-be4f-0a690b0abd7e/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/60e469c8d8423b4f4a11c3ff2e217e7c3b7a8d2d65f01c58db75227e751c0f5e
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19773aac-9697-40a1-af6f-93bca5cc2586
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1705431
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/60e469c8d8423b4f4a11c3ff2e217e7c3b7a8d2d65f01c58db75227e751c0f5e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60e469c8d8423b4f4a11c3ff2e217e7c3b7a8d2d65f01c58db75227e751c0f5e/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2025-01-30 03:57:13 UTC
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdsgtsgyii5u6sqryp7s4il6pq5xvdjnmxybywg3ourh45i4b5pa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
60e469c8d8423b4f4a11c3ff2e217e7c3b7a8d2d65f01c58db75227e751c0f5e
AsyncRAT
error
AsyncRAT
f4ddddf321a14fd999abb12a63998124e5869b78c4ffc3c30cc80ca1824915d6
AsyncRAT
f5f1e34ad7a3e3931c6d6e59af300df4d31f0c052c399a7f1c8c5179b0964961
AsyncRAT
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm discovery loader rat trojan
Link:
https://tria.ge/reports/250603-19cskaxm18/
Behaviour
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Xworm
Xworm family
Malware Config
C2 Extraction:
135.181.8.126:7000
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/27c9c5fe-8441-42c2-86a3-72e39bbe15fb
Unpacked files
SH256 hash:
60e469c8d8423b4f4a11c3ff2e217e7c3b7a8d2d65f01c58db75227e751c0f5e
MD5 hash:
a2805fcc8241bef34cba7005a4c38015
SHA1 hash:
50287d927e66c4f6a578bfaeb660f688bc6913f5
Link:
https://www.unpac.me/results/6eeec9b9-a635-400f-b07c-c6a9de6d91fc/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/60e469c8d842/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 60e469c8d8423b4f4a11c3ff2e217e7c3b7a8d2d65f01c58db75227e751c0f5e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3557632/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7157/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryExW
kernel32.dll::GetStartupInfoW
kernel32.dll::GetCommandLineA
kernel32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WriteConsoleW
kernel32.dll::SetStdHandle
kernel32.dll::GetConsoleMode
kernel32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileW

Comments