MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 38 File information Comments

SHA256 hash:	8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a
SHA3-384 hash:	05d7c5d9bf61d814a3f1c1a87d657a916924ddfe69acc7d068369102a51a4b0d9a8e89d09dfb1bac4bd17c5411d27495
SHA1 hash:	9fa3cebe7b49f2412a0d618e82c461fa5e2bcd0b
MD5 hash:	5d7c38a454572e068141a98991b4ac42
humanhash:	jupiter-quiet-sodium-floor
File name:	8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	6'495'240 bytes
First seen:	2026-04-28 10:21:27 UTC
Last seen:	2026-04-28 10:21:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e5a2c85b0f13d6d706a027c875e2df5b (1 x AsyncRAT)
ssdeep	49152:oVdbcZiQ59a3EbEMUn6RVR4SME9ca+35SEGHY+/o+wiofnxaPKq5wMJn7q4TUEk5:ok2+Uns+QFOfnxiKE1TO8TIzVRJIY
Threatray	1'317 similar samples on MalwareBazaar
TLSH	T1B666C01AB7A501ECC0E7D5B88A175D13EAB2784913329BEB57E089552F23AF05F3E710
TrID	29.5% (.EXE) Win64 Executable (generic) (6522/11/2) 22.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

andromeda

ID:

File name:

https://coloursofthesky.online/crosshairxxxxxs

Verdict:

Malicious activity

Analysis date:

2026-04-25 19:51:29 UTC

Tags:

andromeda botnet gamarue telegram arch-exec xworm remote

Link:

https://app.any.run/tasks/fc96f78c-961a-45d0-b838-e5f72dcc532e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/63855/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Searching for synchronization primitives

Creating a process from a recently created file

Сreating synchronization primitives

DNS request

Connection attempt

Creating a window

Enabling the 'hidden' option for recently created files

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Enabling threat expansion on mass storage devices

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm asyncrat barys base64 crypto fingerprint microsoft_visual_cc njrat overlay reconnaissance unsafe xworm xworm

Link:

https://www.filescan.io/uploads/69f08a2d8a82359247b73ee5/reports/5e09cc31-7f98-4a66-bafd-257879823188/overview

Verdict:

Malicious

Labled as:

Giant.Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-04-25T06:22:00Z UTC

Last seen:

2026-04-29T16:33:00Z UTC

Hits:

~10

Detections:

Backdoor.Agent.TCP.C&C HEUR:Backdoor.MSIL.XWorm.gen HEUR:Backdoor.MSIL.XClient.b Trojan.Win32.Vimditator.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Coins.sb Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.b

Link:

https://opentip.kaspersky.com/8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/afea5904-656f-4039-8568-9567a3c78525

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a

Threat name:

Win64.Trojan.GiantBarys

Status:

Malicious

First seen:

2026-04-25 06:11:53 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rkd2vy3izwmbp4yt5tqojo2sk2abpqa6ernxra5qhw2lwa6ybina._file

Verdict:

malicious

Label(s):

xworm

AsyncRAT

322f73c3a68b09cab469ace2c2b71cba547ca330f3e5db297cf7b923811d44e6

AsyncRAT

741c421367b548b8b45e8ddeb4e8fb735c7b1bd22d4c557841eb299bc0db4bb1

AsyncRAT

8d330aabb2f7c7ca00d5ace55110f7d4f977f2bae53f5605f2bf4230b19eb494

AsyncRAT

dc7e6a188f1472b3acb0dafe7791732cfc437a6d34da4121e9b1d752c3fd73d0

AsyncRAT

error

AsyncRAT

f241d92e0a83fc26fb02b477b3a8b30416414a3d20fcfcdf94352cc975786462

AsyncRAT

+ 1'307 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm persistence rat trojan

Link:

https://tria.ge/reports/260428-mdxwzags9t/

Behaviour

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks for VirtualBox DLLs, possible anti-VM trick

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Detect Xworm Payload

Family: Xworm

Malware Config

C2 Extraction:

87.106.168.15:7004

Unpacked files

SH256 hash:

8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a

MD5 hash:

5d7c38a454572e068141a98991b4ac42

SHA1 hash:

9fa3cebe7b49f2412a0d618e82c461fa5e2bcd0b

Detections:

win_xworm_a0

win_xworm_w0

triage_xworm_rat

Link:

https://www.unpac.me/results/4a34d5ec-d0dd-4f81-94a4-751312781404/

SH256 hash:

8d330aabb2f7c7ca00d5ace55110f7d4f977f2bae53f5605f2bf4230b19eb494

MD5 hash:

b55407ad89cd891755e1c9d6d0fd7045

SHA1 hash:

5f846f9c74e274074a28172c1c940c32cb80acdc

Detections:

win_xworm_a0

win_xworm_w0

XWorm

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/4a34d5ec-d0dd-4f81-94a4-751312781404/

Parent samples :

8d330aabb2f7c7ca00d5ace55110f7d4f977f2bae53f5605f2bf4230b19eb494
8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8a87aae368cd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8a87aae368cd9817f313ece0e4bb52568017c01e245b7883b03db4bb03d80a1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ByteCode_MSIL_Backdoor_AsyncRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects AsyncRAT backdoor.

Rule name:	Check_Dlls Create hunting rule

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	Check_Qemu_Description Create hunting rule

Rule name:	Check_Qemu_DeviceMap Create hunting rule

Rule name:	Check_VBox_Description Create hunting rule

Rule name:	Check_VBox_DeviceMap Create hunting rule

Rule name:	Check_VMWare_DeviceMap Create hunting rule

Rule name:	cobalt_strike_beacon_detected Create hunting rule
Author:	0x0d4y
Description:	This rule detects cobalt strike beacons.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxProductID Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox product IDs

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Surtr Create hunting rule
Author:	Katie Kleemola
Description:	Rule for Surtr Stage One

Rule name:	SurtrStrings Create hunting rule
Author:	Katie Kleemola
Description:	Strings for Surtr

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	win_xworm_w0 Create hunting rule
Author:	jeFF0Falltrades
Description:	Detects win.xworm.

Rule name:	xworm Create hunting rule
Author:	jeFF0Falltrades

Rule name:	XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	xworm_kingrat Create hunting rule
Author:	jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/63855/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample