MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75e50384053e487d49bae8f857fd39af0179c293496f0312072dbaf9af9c085c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75e50384053e487d49bae8f857fd39af0179c293496f0312072dbaf9af9c085c
SHA3-384 hash: eab38de91b6fce4fbe7397855e283275e9def2ca1fba5cba425296389ac4c5572d27bd2e50c8e2164736c0ea5eaa73aa
SHA1 hash: 0fcf2da01b9d37104f6f461998e765c564a88a27
MD5 hash: 10cd5cfb187c697529e3bd727cf915b6
humanhash: bluebird-three-california-autumn
File name:Purchase_Order_Sheet_Confirmation_Required_Quotation_Request_TradeKey_xls.js
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:41'597 bytes
First seen:2026-01-21 11:57:03 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:LQEdEt9QWfHekXzEGcdOnqUB3s0oQOzJc6O:lfO7qpQw9O
Threatray 684 similar samples on MalwareBazaar
TLSH T18A1374F07ACB77580B24393CC5882F9A6BBAF2593720F861A1D959CB842F75347764B0
Magika javascript
Reporter smica83
Tags:AsyncRAT js

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6970bf31bcad3327ec073861
Tags:
shell virus sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint masquerade repaired
Link:
https://www.filescan.io/uploads/6970bf2b55805a763fed10d4/reports/5814e935-ed7d-48cd-b101-3b1248d26b26/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/75e50384053e487d49bae8f857fd39af0179c293496f0312072dbaf9af9c085c
Verdict:
Malicious
File Type:
js
First seen:
2026-01-20T20:10:00Z UTC
Last seen:
2026-01-23T07:54:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/75e50384053e487d49bae8f857fd39af0179c293496f0312072dbaf9af9c085c/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1854810
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1854810 Sample: Purchase_Order_Sheet_Confir... Startdate: 21/01/2026 Architecture: WINDOWS Score: 100 52 xxblessing2026now.duckdns.org 2->52 54 habibjee.store 2->54 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 72 17 other signatures 2->72 9 wscript.exe 1 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 2 2->14         started        16 6 other processes 2->16 signatures3 70 Uses dynamic DNS services 52->70 process4 signatures5 82 Suspicious powershell command line found 9->82 84 Wscript starts Powershell (via cmd or directly) 9->84 86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->86 90 2 other signatures 9->90 18 powershell.exe 14 23 9->18         started        88 Changes security center settings (notifications, updates, antivirus, firewall) 12->88 23 MpCmdRun.exe 1 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        29 WerFault.exe 2 16->29         started        process6 dnsIp7 56 habibjee.store 172.67.167.137, 443, 49722 CLOUDFLARENETUS United States 18->56 50 C:\Users\user\AppData\...\ydlgwwji.cmdline, Unicode 18->50 dropped 74 Writes to foreign memory regions 18->74 76 Modifies the context of a thread in another process (thread injection) 18->76 78 Suspicious execution chain found 18->78 80 Injects a PE file into a foreign processes 18->80 31 RegAsm.exe 1 4 18->31         started        36 csc.exe 3 18->36         started        38 conhost.exe 18->38         started        40 conhost.exe 23->40         started        file8 signatures9 process10 dnsIp11 58 xxblessing2026now.duckdns.org 185.167.61.11, 3025, 49723 INETLTDTR Turkey 31->58 46 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 31->46 dropped 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->60 62 Drops PE files with benign system names 31->62 42 WerFault.exe 16 31->42         started        48 C:\Users\user\AppData\Local\...\ydlgwwji.dll, PE32 36->48 dropped 44 cvtres.exe 1 36->44         started        file12 signatures13 process14
Score:
90%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/75e50384053e487d49bae8f857fd39af0179c293496f0312072dbaf9af9c085c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75e50384053e487d49bae8f857fd39af0179c293496f0312072dbaf9af9c085c/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/75e50384053e487d49bae8f857fd39af0179c293496f0312072dbaf9af9c085c
Threat name:
Script-JS.Backdoor.XWorm
Create hunting rule
Status:
Malicious
First seen:
2026-01-21 05:31:14 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oxsqhbafhzeh2sn25d4fp7jzv4axtqutjfxqgeqhfw5ptl44bboa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
15a9f29aaba59940714e92ef77712542ddb68ceb2f82f62ee85e30956ec23929
AsyncRAT
3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c
AsyncRAT
5368ee78ec544ea4b93c7e7cf85ca44329b2f3931d8f93194be18866052c5731
AsyncRAT
6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c
AsyncRAT
68c553786094522830920122539df1d3a8f04caf880d84415728ffac780a4c84
AsyncRAT
ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73
AsyncRAT
ada3af84801eb7e4a28b6e1371b963e820fafc35bd6b7bd15a9a08180cbc17c5
AsyncRAT
bc6edff1b1148a9ad6a3aa8db0371d55ac57c8307ed841fc8e8030bdf4bed7ab
AsyncRAT
cf47a12ab207f39bb11672dc366839a72b61ee81d0870edffa2c3c5c058a0e0e
AsyncRAT
error
AsyncRAT
+ 674 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution persistence rat trojan
Link:
https://tria.ge/reports/260121-n4vd7sbx7c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Badlisted process makes network request
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Malware Config
C2 Extraction:
xxblessing2026now.duckdns.org:3025
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75e50384053e487d49bae8f857fd39af0179c293496f0312072dbaf9af9c085c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Trojan_XWorm_b7d6eaa8
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_bytestring
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytestring present in unobfuscated xworm
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments