MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 794790e9f8d17da9a50e9387b76c0d78d8a7d2af33ea75e9159089917ab697c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 794790e9f8d17da9a50e9387b76c0d78d8a7d2af33ea75e9159089917ab697c2
SHA3-384 hash: 854794bfa2b458481f2b8cb7abeb48c7f1b0345d97967d570ab9595b0f41bf3f1b562443c91610dec5b52b13aea6dd52
SHA1 hash: 535d737481f30895c874271c3584156fb6e9431a
MD5 hash: 51ce62f62ba5e2f424e8954893e6d815
humanhash: robert-bakerloo-five-alpha
File name:file
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:225'831 bytes
First seen:2026-02-21 14:01:01 UTC
Last seen:2026-02-24 08:33:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 183388b096f04db8679b00d085f87f72 (1 x AsyncRAT)
ssdeep 3072:SkY8yckIfPJWifvyA3yP+ITv57bbOb6Wt1dNYVO9YHhi331erwgEs9Hb:8cVp/3yrTNbbObbfme31erhP
Threatray 192 similar samples on MalwareBazaar
TLSH T194247C16B76951FDD1A7C5B4C9434942EA32388A4B60BEDF07904BB67E236E89F3C701
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:AsyncRAT dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/8532745682/eVLF2SR.exe

Intelligence

File Origin
# of uploads :
14
# of downloads :
193
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-02-21 14:01:54 UTC
Tags:
auto-startup xworm remote
Link:
https://app.any.run/tasks/f5c9a4f9-11ff-44dd-a182-fe43c7d0a215

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53968/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6999bab58fffa866e3b02920
Tags:
autorun dropper sharew sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context microsoft_visual_cc overlay
Link:
https://www.filescan.io/uploads/6999bab397feb4afd650a661/reports/2b9e3f35-1199-455d-b4a4-017091eac236/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/794790e9f8d17da9a50e9387b76c0d78d8a7d2af33ea75e9159089917ab697c2
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan.Win64.Agentb.sb Trojan.Win32.Inject.sb Backdoor.MSIL.XWorm.b Backdoor.Agent.TCP.C&C Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.iqr Backdoor.MSIL.XWorm.a
Link:
https://opentip.kaspersky.com/794790e9f8d17da9a50e9387b76c0d78d8a7d2af33ea75e9159089917ab697c2/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44bdc7ff-516b-4830-8160-4bf02b002876
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/794790e9f8d17da9a50e9387b76c0d78d8a7d2af33ea75e9159089917ab697c2
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/51ce62f62ba5e2f424e8954893e6d815
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/794790e9f8d17da9a50e9387b76c0d78d8a7d2af33ea75e9159089917ab697c2/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/794790e9f8d17da9a50e9387b76c0d78d8a7d2af33ea75e9159089917ab697c2
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-02-21 14:01:24 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfdzb2py2f62tjiosod3o3anpdmkpuvpgpvhl2ivscezc6vws7ba._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
2590cb433896b545026338c66fe0014959405121ea0cbe7a4765e8b9f60f14d2
AsyncRAT
2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0
AsyncRAT
387c0b928b4211897c14214aa84cfcb8203a4724a120db336748f1752c4068a4
AsyncRAT
3f30eb884452a6b86c47244eaaf528b7e517b6ac85a6c85099e57d7c69fd944b
AsyncRAT
4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd
AsyncRAT
59c793d693cccdcce3de19a3934c7e2b03540188972c4690ccce3688d7575be7
AsyncRAT
729e593c24f402e38408308ff4f3dac564c9d159788d39941680048b84b35ec0
AsyncRAT
a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd
AsyncRAT
error
AsyncRAT
f9716ee5dd7c68f16b578817d60d1baeff9502e339322eca4a78873e9e528c04
AsyncRAT
+ 182 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/260221-rbqr4aez6c/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Contacts third-party web service commonly abused for C2
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
217.195.153.81:50000
Unpacked files
SH256 hash:
794790e9f8d17da9a50e9387b76c0d78d8a7d2af33ea75e9159089917ab697c2
MD5 hash:
51ce62f62ba5e2f424e8954893e6d815
SHA1 hash:
535d737481f30895c874271c3584156fb6e9431a
Link:
https://www.unpac.me/results/cec826b1-dad1-4de7-bb6a-e4dd24c71c16/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/794790e9f8d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/794790e9f8d17da9a50e9387b76c0d78d8a7d2af33ea75e9159089917ab697c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 794790e9f8d17da9a50e9387b76c0d78d8a7d2af33ea75e9159089917ab697c2

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3782310/
Cape
Cape
https://www.capesandbox.com/analysis/53968/

Comments