MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e
SHA3-384 hash: 3f544eea71e4388069f12037318740820def3c09f36f2ba65ccc6c7d8ce957dddc8017d1198897fb87900f839bd6e370
SHA1 hash: a812810570e60843cf675224294ea2b77f29aebe
MD5 hash: 7949c95afccc35cae5140e4331071c58
humanhash: william-berlin-steak-robin
File name:OuPNGompany Meeting-ScheduleDated.TXT
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:597'504 bytes
First seen:2025-11-20 08:47:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:8DK5wRbuqPym9E9tnhuDjOPBWOlWtlXLKxevL8G8iE8T9G088dAA:wVyWscDj4WOlWPXlyiEO9G03A
Threatray 354 similar samples on MalwareBazaar
TLSH T15FD4AEE06344C926D8A75BB88436D6B36633AE4DDC29C50D2ED6FF4B7D723420017A9B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OuPNGompany Meeting-ScheduleDated.TXT
Verdict:
Malicious activity
Analysis date:
2025-11-20 09:16:07 UTC
Tags:
auto-reg auto-startup remote xworm auto-sch-xml
Link:
https://app.any.run/tasks/b6ce1a98-1897-4bb9-90a0-75e6e234cd0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38821/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691ed5998cf6736ec0af9be6
Tags:
autorun spawn shell virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
filecoder masquerade packed ransomware ransomware vbnet
Link:
https://www.filescan.io/uploads/691ed5983aaf05a4c84edef5/reports/d6f22ec8-5746-47fb-8664-aa4cee4fd00e/overview
Verdict:
Malicious
Labled as:
Ransom.Agent.Generic
Link:
https://www.hybrid-analysis.com/sample/77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-20T04:07:00Z UTC
Last seen:
2025-11-22T07:30:00Z UTC
Hits:
~1000
Detections:
Backdoor.Agent.TCP.C&C Trojan-Dropper.Win32.Injector.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.XWorm.b PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Agent.sb Backdoor.MSIL.XWorm.a Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Taskun.sb Backdoor.Win32.Androm HEUR:Trojan.MSIL.Injector.gen Trojan.MSIL.Taskun.sb HEUR:Trojan.MSIL.Taskun.gen Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Agent.sb VHO:Backdoor.Win32.Agent.gen HEUR:Trojan.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/caed4121-50a6-442d-ad0b-4a7b435be626
Result
Threat name:
PureLog Stealer, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1817651
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1817651 Sample: OuPNGompany Meeting-Schedul... Startdate: 20/11/2025 Architecture: WINDOWS Score: 100 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 17 other signatures 2->72 7 OuPNGompany Meeting-ScheduleDated.TXT.exe 7 2->7         started        11 duXCOajSD.exe 2->11         started        13 Fox.exe 2->13         started        15 Fox.exe 2->15         started        process3 file4 56 C:\Users\user\AppData\Roaming\duXCOajSD.exe, PE32 7->56 dropped 58 C:\Users\...\duXCOajSD.exe:Zone.Identifier, ASCII 7->58 dropped 60 C:\Users\user\AppData\Local\...\tmp77D3.tmp, XML 7->60 dropped 62 OuPNGompany Meetin...leDated.TXT.exe.log, ASCII 7->62 dropped 78 Adds a directory exclusion to Windows Defender 7->78 80 Injects a PE file into a foreign processes 7->80 17 OuPNGompany Meeting-ScheduleDated.TXT.exe 4 16 7->17         started        22 powershell.exe 21 7->22         started        24 powershell.exe 23 7->24         started        32 3 other processes 7->32 82 Multi AV Scanner detection for dropped file 11->82 26 schtasks.exe 11->26         started        34 2 other processes 11->34 28 schtasks.exe 13->28         started        30 Fox.exe 13->30         started        36 2 other processes 15->36 signatures5 process6 dnsIp7 64 192.30.241.135, 49719, 49720, 6106 INTELLIGENT-TECHNOLOGY-SOLUTIONSUS United States 17->64 54 C:\Fox.exe, PE32 17->54 dropped 74 Tries to harvest and steal browser information (history, passwords, etc) 17->74 76 Loading BitLocker PowerShell Module 17->76 38 WmiPrvSE.exe 17->38         started        40 WerFault.exe 17->40         started        42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 28->48         started        50 conhost.exe 32->50         started        52 conhost.exe 36->52         started        file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2025-11-20 07:17:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7gfgab57gfveps3rshpkcdx7hjrkivdw4ec4axl252ghsbuajxa._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
unc_loader_078
Create hunting rule
xworm
Create hunting rule
Similar samples:
4bc7c3ee641390b78c356aef216d987fa7eba48192678f73048561762b11a5a9
AsyncRAT
7bd43a4dc0291302cddd4adcd10f9fb8236240f3e78b0da85b59cf45799aaf11
AsyncRAT
error
AsyncRAT
f662e9c4e17bacaeaa8d6c3e7aeb8ba088b8daf5cb9da1e057a70c3e580dfae5
AsyncRAT
+ 344 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/251120-kp1qwsxjgl/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
192.30.241.135:6106
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/43dff5c7-e898-4b72-9ace-00a96e4dff27
Unpacked files
SH256 hash:
77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e
MD5 hash:
7949c95afccc35cae5140e4331071c58
SHA1 hash:
a812810570e60843cf675224294ea2b77f29aebe
Link:
https://www.unpac.me/results/97ae388b-9f52-421a-b0b5-db24a98cae16/
SH256 hash:
123637c20b53465ad8a1acad2785e85af74cadb88bec1cdbc5f3da0dcdd3bc86
MD5 hash:
14b43d37fdb56ed6a45cd818e3f44fd0
SHA1 hash:
3f28eced5afa3affe4e9b1406ce5e5e2241c849c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/97ae388b-9f52-421a-b0b5-db24a98cae16/
SH256 hash:
111e88b06ab4bda9dcea292177f2fbf656f056ee3bc315aea8861653872867a4
MD5 hash:
ca046727926a963297a6f802f7f59312
SHA1 hash:
49c2d05a1f1ea2530c2b54c1450b70ab1595175c
Link:
https://www.unpac.me/results/97ae388b-9f52-421a-b0b5-db24a98cae16/
SH256 hash:
004d030618785f9df7f9dac8b20471c1a65062f881340bf43cbc5320a19c3945
MD5 hash:
c0597ae4773ca0b79b633011fad6b568
SHA1 hash:
dc6e5eca5a8d94318a201e6e25147626a6343e71
Detections:
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/97ae388b-9f52-421a-b0b5-db24a98cae16/
Parent samples :
866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b
0a65501859a30404dd798a8a68c4a0cc2ba8ade0a71d65c6aba32e93b788234c
bce3d785263907d22616adb089e84a1941b291ff326053bd43f9ce6b0ae11a99
77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77cc53003df9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_RANSOM_COVID19_Apr20_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ransomware distributed in COVID-19 theme
Reference:https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Rule name:MAL_RANSOM_COVID19_Apr20_1_RID2ECC
Create hunting rule
Author:Florian Roth
Description:Detects ransomware distributed in COVID-19 theme
Reference:https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe 77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38821/

Comments