MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7798165f2a3542ed381179e299c7b909af9c7cfd4d7c272ef30e5ddf62ecc867. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7798165f2a3542ed381179e299c7b909af9c7cfd4d7c272ef30e5ddf62ecc867
SHA3-384 hash: ba290067de014aa08d9f9d3b4e6112fd16828c2de72c782169b1854b2ebaad147a1145e57cc314ba852e04cea83f32da
SHA1 hash: b8a298c1d3422089afbe4295708013b6744acbb9
MD5 hash: 2bd7774fa9ad56924d2aa0497e9ce05d
humanhash: black-helium-mike-hot
File name:file
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:3'084'288 bytes
First seen:2026-01-31 23:52:50 UTC
Last seen:2026-02-01 00:56:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'832 x AgentTesla, 19'770 x Formbook, 12'296 x SnakeKeylogger)
ssdeep 49152:GiSHEXxng31v8Q0td5DopbQ/mdgwExx/LFenHXwi/qjnWaPswdFXcP4owRk7L0m7:BSwx21vRc5VHxe3lgWaTTXcgowGn0MsE
TLSH T103E53379770B7499F82459BED8AA13C22329BF26F57101ED24E46B7C79B60B9C20077C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Bitsight
Tags:AsyncRAT dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/1781548144/cASYKdm.exe

Intelligence

File Origin
# of uploads :
13
# of downloads :
209
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
EvilCoder SilentCryptoMiner XWorm
Details
EvilCoder
a mutex and AES-ECB decrypted component(s)
PEPacker
a UPX version number and an unpacked binary
SilentCryptoMiner
AES-CBC decryption parameters, decrypted component(s), and possibly urls and a CryptoCurrency address
XWorm
a version, a filepath, a mutex, a c2 socket address or a dead-drop resolver URL, and possibly cryptocurrency wallets and a Telegram URL
Link:
https://research.acce.ciphertechsolutions.com/results/31483316-570f-4f18-a4df-a32b903d3510/
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-31 23:55:20 UTC
Tags:
auto-reg crypto-regex xworm miner winring0-sys vuln-driver upx xor-url generic xmrig
Link:
https://app.any.run/tasks/8c27b832-4e4d-4b52-b2df-f11407131363

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
R77
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51054/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697e95f3848d0f834c8c3e52
Tags:
asyncrat cobalt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive installer-heuristic packed vbnet
Link:
https://www.filescan.io/uploads/697e95ef981ff1d38a4333c3/reports/10eedb83-604f-4ebb-b149-8e5a6463b9cc/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/7798165f2a3542ed381179e299c7b909af9c7cfd4d7c272ef30e5ddf62ecc867
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-31T21:04:00Z UTC
Last seen:
2026-02-01T20:55:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.Agent.rnd HEUR:Trojan.Win32.Agent.pef HEUR:Backdoor.MSIL.XWorm.gen Trojan.Win32.Agent.sb HEUR:Trojan.Win32.Miner.pef HEUR:Trojan.Win32.Generic HEUR:Backdoor.MSIL.XClient.b Trojan-Dropper.Win32.Agent.sb HEUR:Trojan.Multi.Agent.gen Backdoor.MSIL.Crysan.d VHO:Trojan.Win32.Agent.gen HEUR:Trojan.MSIL.APosT.gen RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.UDP.C&C RiskTool.BitCoinMiner.TCP.C&C
Link:
https://opentip.kaspersky.com/7798165f2a3542ed381179e299c7b909af9c7cfd4d7c272ef30e5ddf62ecc867/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93d6fac3-66df-4a10-87a2-b9c80ab85416
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7798165f2a3542ed381179e299c7b909af9c7cfd4d7c272ef30e5ddf62ecc867
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.18 Win 32 Exe x86
Link:
https://app.malva.re/file/2bd7774fa9ad56924d2aa0497e9ce05d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7798165f2a3542ed381179e299c7b909af9c7cfd4d7c272ef30e5ddf62ecc867/
Verdict:
Malicious
Threat:
Family.XBINDER
Link:
https://tip.neiki.dev/file/7798165f2a3542ed381179e299c7b909af9c7cfd4d7c272ef30e5ddf62ecc867
Threat name:
Win32.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2026-01-31 23:53:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6mbmxzkgvbo2oarphrjtr5zbgxzy7h5jv6colxtbzo56yxmzbtq._file
Verdict:
malicious
Label(s):
unc_loader_055
Create hunting rule
xworm
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xmrig family:xworm defense_evasion execution miner persistence rat trojan upx
Link:
https://tria.ge/reports/260131-3xfd2ab18e/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Power Settings
Checks BIOS information in registry
Checks computer location settings
Creates new service(s)
Executes dropped EXE
Stops running service(s)
Command and Scripting Interpreter: PowerShell
XMRig Miner payload
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
Xworm
Xworm family
xmrig
Malware Config
C2 Extraction:
adobe-cdn.duckdns.org:8080
8L0niGJfnjUQ3vnySTISYg==:999
Unpacked files
SH256 hash:
7798165f2a3542ed381179e299c7b909af9c7cfd4d7c272ef30e5ddf62ecc867
MD5 hash:
2bd7774fa9ad56924d2aa0497e9ce05d
SHA1 hash:
b8a298c1d3422089afbe4295708013b6744acbb9
Link:
https://www.unpac.me/results/6a59fe17-aed2-4af0-a897-ef622570965f/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7798165f2a35/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7798165f2a3542ed381179e299c7b909af9c7cfd4d7c272ef30e5ddf62ecc867

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 7798165f2a3542ed381179e299c7b909af9c7cfd4d7c272ef30e5ddf62ecc867

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3766892/
Cape
Cape
https://www.capesandbox.com/analysis/51054/

Comments