MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b
SHA3-384 hash: 5431991e3518865584601892a9ef5892a1b19c7235099ef5ce1573a489ff2ba212174a400db1df42b291e06619cec6b6
SHA1 hash: cfc8224be5827b8542146df1ad1206f79e589d91
MD5 hash: 8826027a17b51df2e829a20a2cb69d13
humanhash: purple-video-white-carbon
File name:D e PNG i ls -1 2 t h_N o v e m b r E 2025.TXT
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:483'328 bytes
First seen:2025-11-13 06:55:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:qpcY1ZeM7LAnwB4O+17TREPa2nylxxZAK0g78h2KpEEGv8rDDNf/1P1s5:qpcsJ7L8wyv7eaDDxZBXK2aJTs
Threatray 1'054 similar samples on MalwareBazaar
TLSH T1D1A4F1146ABCDB02E4B61BF01A34E1B417B9AD9DA431D30A8FD53DDF70BAB0109517A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b.zip
Verdict:
No threats detected
Analysis date:
2025-11-13 06:58:14 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/32609cda-9a1b-454a-ae55-9459a99474f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38084/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6915811828ddbbca4d8dabd9
Tags:
autorun micro spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a process from a recently created file
Sending an HTTP GET request
Sending a custom TCP request
Loading a suspicious library
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6915811435898d9a36115d96/reports/d1bc1d8a-99ec-48ee-a429-93ad06e41cb6/overview
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-13T03:42:00Z UTC
Last seen:
2025-11-15T05:13:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/643d3310-32b0-4733-b3d0-6f7e88a9897f
Result
Threat name:
MSIL Logger, MassLogger RAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1813142
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1813142 Sample: D e PNG i ls -1 2 t h_N o v... Startdate: 13/11/2025 Architecture: WINDOWS Score: 100 65 reallyfreegeoip.org 2->65 67 api.telegram.org 2->67 69 2 other IPs or domains 2->69 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 89 20 other signatures 2->89 8 D e PNG i ls -1 2 t h_N o v e m b r E 2025.TXT.exe 7 2->8         started        12 HefLzzftrzLt.exe 5 2->12         started        14 Fox.exe 2->14         started        16 Fox.exe 2->16         started        signatures3 85 Tries to detect the country of the analysis system (by using the IP) 65->85 87 Uses the Telegram API (likely for C&C communication) 67->87 process4 file5 59 C:\Users\user\AppData\...\HefLzzftrzLt.exe, PE32 8->59 dropped 61 C:\Users\user\AppData\Local\Temp\tmp501.tmp, XML 8->61 dropped 63 D e PNG i ls -1 2 ... E 2025.TXT.exe.log, ASCII 8->63 dropped 101 Adds a directory exclusion to Windows Defender 8->101 18 D e PNG i ls -1 2 t h_N o v e m b r E 2025.TXT.exe 4 17 8->18         started        23 powershell.exe 22 8->23         started        25 schtasks.exe 1 8->25         started        103 Multi AV Scanner detection for dropped file 12->103 27 schtasks.exe 12->27         started        37 2 other processes 12->37 29 schtasks.exe 14->29         started        31 Fox.exe 14->31         started        33 schtasks.exe 16->33         started        35 Fox.exe 16->35         started        signatures6 process7 dnsIp8 71 192.30.241.135, 49718, 49722, 6106 INTELLIGENT-TECHNOLOGY-SOLUTIONSUS United States 18->71 55 C:\Users\user\AppData\Local\Temp\mbffau.exe, PE32 18->55 dropped 57 C:\Fox.exe, PE32 18->57 dropped 91 Loading BitLocker PowerShell Module 18->91 39 mbffau.exe 18->39         started        43 WmiPrvSE.exe 18->43         started        45 conhost.exe 23->45         started        47 conhost.exe 25->47         started        49 conhost.exe 27->49         started        51 conhost.exe 29->51         started        53 conhost.exe 33->53         started        file9 signatures10 process11 dnsIp12 73 checkip.dyndns.com 132.226.247.73, 49723, 80 UTMEMUS United States 39->73 75 api.telegram.org 149.154.167.220, 443, 49725 TELEGRAMRU United Kingdom 39->75 77 reallyfreegeoip.org 172.67.177.134, 443, 49724 CLOUDFLARENETUS United States 39->77 93 Antivirus detection for dropped file 39->93 95 Multi AV Scanner detection for dropped file 39->95 97 Tries to steal Mail credentials (via file / registry access) 39->97 99 Tries to harvest and steal browser information (history, passwords, etc) 39->99 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.37 Win 32 Exe x86
Link:
https://app.malva.re/file/8826027a17b51df2e829a20a2cb69d13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b/
Threat name:
Win32.Trojan.Genie8DN
Create hunting rule
Status:
Malicious
First seen:
2025-11-13 06:42:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzvy6jwegumbsjxhsucnowgz5co5kwcunxwccehdqxrvm5hmz6nq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
neptunerat
Create hunting rule
unc_loader_037
Create hunting rule
novastealer
Create hunting rule
Similar samples:
1ef8f48f8464e37887de6e318960e8814dfe2ddb6576b1a2348d838c6b687c40
AsyncRAT
80ba25ee75d1be0dae2c72debaf232aa745980beab0789918eb7d6e125867514
AsyncRAT
866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b
AsyncRAT
9db5b9e86e71661d7769316f9ef1fb79b6478b00726b8be14c0b09f7be5b941b
AsyncRAT
error
AsyncRAT
f81a80a1253af14c000762bab41208a7664b5c7153104c8ec3d93072b80528e5
AsyncRAT
+ 1'044 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:masslogger family:xworm collection discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251113-hqj4eshr9x/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Contains code to disable Windows Defender
Detect Xworm Payload
MassLogger
Masslogger family
Xworm
Xworm family
Malware Config
C2 Extraction:
192.30.241.135:6106
https://api.telegram.org/bot7910311526:AAEn5doit3APLTHTBsAxIx_YHMTZbEuOtRo/sendMessage?chat_id=6712961026
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/667ddb8b-6944-43e7-ba74-c82703a8d8f5
Unpacked files
SH256 hash:
866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b
MD5 hash:
8826027a17b51df2e829a20a2cb69d13
SHA1 hash:
cfc8224be5827b8542146df1ad1206f79e589d91
Link:
https://www.unpac.me/results/403398f8-f76c-4356-a023-600101b737df/
SH256 hash:
f44a97ba959a2f1b2154d69c4d118fd16bc5608f7f1dcf4f36bd44c6543b3b9a
MD5 hash:
64a9dd1563f828735d8bb70617bd4d5a
SHA1 hash:
85cfa4ff543dc85b7c8247876c9a8bee99cd9091
Link:
https://www.unpac.me/results/403398f8-f76c-4356-a023-600101b737df/
SH256 hash:
a4baf5ef367ff9acce8389c2ab49f72ac095defb47242a8aff6e9c9741e14ef6
MD5 hash:
b17a922f5738fd25daf5e33cdccb4742
SHA1 hash:
cdcb523b51293d654ead0f9867506f21d9c4616a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/403398f8-f76c-4356-a023-600101b737df/
SH256 hash:
004d030618785f9df7f9dac8b20471c1a65062f881340bf43cbc5320a19c3945
MD5 hash:
c0597ae4773ca0b79b633011fad6b568
SHA1 hash:
dc6e5eca5a8d94318a201e6e25147626a6343e71
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/403398f8-f76c-4356-a023-600101b737df/
Parent samples :
866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b
0a65501859a30404dd798a8a68c4a0cc2ba8ade0a71d65c6aba32e93b788234c
bce3d785263907d22616adb089e84a1941b291ff326053bd43f9ce6b0ae11a99
77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/866b8f26c435/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe 866b8f26c435181926e79504d758d9e89dd558546dec2110e385e35674eccf9b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38084/

Comments