MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88d52e8d9bb86b9e831342c86f32ee04fbc9d680c38c61d320ff3eedfb143c94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88d52e8d9bb86b9e831342c86f32ee04fbc9d680c38c61d320ff3eedfb143c94
SHA3-384 hash: debf56738c9243779f063aca66ebcbcd34b970548c5d26e40f13915c4015c0f5177ce00b58834c00daac3f607e4768e9
SHA1 hash: 1c189ab9fed5cbaa0a050b63ff700e7c27c5766e
MD5 hash: 2c7ba1687f1b1021d85b3a71421c6590
humanhash: cola-pasta-network-football
File name:88d52e8d9bb86b9e831342c86f32ee04fbc9d680c38c61d320ff3eedfb143c94
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:778'240 bytes
First seen:2026-06-08 09:20:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'016 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 12288:sCJ+QRZ4nxX550JcmtwTiTaGPUe7fMpJnclenxjSubA1X+zWD5ovgnWKyLCzVNM:vPZ4nNr0JcqYejIJcWPoD6vWY0r
Threatray 67 similar samples on MalwareBazaar
TLSH T1EBF41208121DD70AC0AE5FF56870C0B427B8BD5AA521DA5BDFDA7DCFB876B0009163A7
TrID 72.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.4% (.EXE) Win64 Executable (generic) (6522/11/2)
4.4% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 68e48c98b6b6b4c8 (5 x AgentTesla, 2 x a310Logger, 2 x Expiro)
Reporter adrian__luca
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5fad07c7-cb50-4cf3-a491-2286c11e35ea/
Malware family:
n/a
ID:
1
File name:
63a0943a3b84698f898cca5fca3de01d9b31bcba70fa417435ce0c625411db5f.zip
Verdict:
No threats detected
Analysis date:
2026-05-07 03:52:27 UTC
Tags:
arch-doc
Link:
https://app.any.run/tasks/aa9b0b9d-e376-47fe-8370-a7859e7f811c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69726/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3232.11402.7893.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2689b5ae2f98c00a68c531
Tags:
infosteal stration micro shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 packed similar-threat vbnet
Link:
https://www.filescan.io/uploads/6a268979bf16337e43bb20b0/reports/7ce41d31-fbb7-4692-acbd-c2da62cc9b63/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/88d52e8d9bb86b9e831342c86f32ee04fbc9d680c38c61d320ff3eedfb143c94
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-07T00:42:00Z UTC
Last seen:
2026-06-08T15:14:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/88d52e8d9bb86b9e831342c86f32ee04fbc9d680c38c61d320ff3eedfb143c94/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4499269f-91b6-4ee8-8725-d72944062623
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/88d52e8d9bb86b9e831342c86f32ee04fbc9d680c38c61d320ff3eedfb143c94
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88d52e8d9bb86b9e831342c86f32ee04fbc9d680c38c61d320ff3eedfb143c94/
Threat name:
Win32.Trojan.RedlineStealer
Create hunting rule
Status:
Malicious
First seen:
2026-05-07 03:52:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
303f75978a35d4835f456943a7f096546881f3e7f1680da167dd64f2c3abbb5f
AsyncRAT
9587ce36a1e86a913af1ec84aa2e04292e4bc7d469856d4b34eeb5aeea315ddc
AsyncRAT
a6455dea59980cdbab8c1a1002a84b1db5531e646a292a0c6489e7818bae445c
AsyncRAT
b7bfcc457284207f51138847c2036298f2e70d98d51bcc35e34a64cc5c591fe5
AsyncRAT
+ 57 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/260608-lbc84sbz2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Malware Config
C2 Extraction:
204.10.160.250:7007
Unpacked files
SH256 hash:
88d52e8d9bb86b9e831342c86f32ee04fbc9d680c38c61d320ff3eedfb143c94
MD5 hash:
2c7ba1687f1b1021d85b3a71421c6590
SHA1 hash:
1c189ab9fed5cbaa0a050b63ff700e7c27c5766e
Link:
https://www.unpac.me/results/b9d06a34-3515-457c-bab4-84fd5ff4573e/
SH256 hash:
7b743702f5e8df986fb20c6ce32238c4cf9653a3fa84788442e3f89f99527ed6
MD5 hash:
2a63b35b51770875c5798f8c6a4f34c0
SHA1 hash:
4b0ebaafb8e34ca8f2b9334f7658df8b97087019
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
Link:
https://www.unpac.me/results/b9d06a34-3515-457c-bab4-84fd5ff4573e/
Parent samples :
9587ce36a1e86a913af1ec84aa2e04292e4bc7d469856d4b34eeb5aeea315ddc
88d52e8d9bb86b9e831342c86f32ee04fbc9d680c38c61d320ff3eedfb143c94
41d0a449e657da1473447ca21ed3dea47b3d311b7ebcd73413d62bb5e139748d
251acca5da8553bb32b9de05a611309c9021754664fc3b5019a12527ce1edb1b
SH256 hash:
fd1d5a7afaf3334145159c7ab4d4b24ce23b52b097c53f7d0c20520c2afa39bb
MD5 hash:
374d7b505db986166d085fe2a6d455f3
SHA1 hash:
52cc8e67354064126ae2bd77b0d50bbf02eaf94d
Link:
https://www.unpac.me/results/b9d06a34-3515-457c-bab4-84fd5ff4573e/
SH256 hash:
caebf12cf2229d84b4fabdf412326d127d2d9fef20e6ec54198ace170e5110e7
MD5 hash:
0d7d14bd5d98367a66ae34fdaefefab7
SHA1 hash:
c6e7e12d4f2ff0a7faaa92d677b88633bcd8ebcb
Link:
https://www.unpac.me/results/b9d06a34-3515-457c-bab4-84fd5ff4573e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88d52e8d9bb86b9e831342c86f32ee04fbc9d680c38c61d320ff3eedfb143c94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69726/

Comments