MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 19

Intelligence 19 IOCs YARA 2 File information Comments

SHA256 hash:	93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a
SHA3-384 hash:	3ebfb54f7695fc26e2beb8966b05cf68fe32a12b475748626beaf16d1ed83e16ea71db5d0d882e577845ba80bbb089ff
SHA1 hash:	881b9429acc6d3c48699efeb2210d7755a7df82d
MD5 hash:	d7dbbca5cdbf29a6c5262dd03dd90be4
humanhash:	zebra-romeo-twelve-quebec
File name:	93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	2'758'656 bytes
First seen:	2026-03-22 11:37:20 UTC
Last seen:	2026-03-22 12:41:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a9c887a4f18a3fede2cc29ceea138ed3 (36 x CoinMiner, 19 x AsyncRAT, 18 x QuasarRAT)
ssdeep	49152:a3NXPZdbJxx2azExp8h4nqSahFhbCemo2YDH6V2J+esJoKqVB/r:a3NXPZx7zE7tqSWhQXYDFJxsJ
Threatray	556 similar samples on MalwareBazaar
TLSH	T18CD523A4B05B89FBC4679477A8263A4CCFBE1EEA0861191D20755EF2F91A804C1F1D7F
TrID	33.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.2% (.EXE) Win64 Executable (generic) (6522/11/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Skynet11
Tags:	AsyncRAT Dapato exe

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

UnamBinder XWorm

Details

UnamBinder

XOR decrypted component(s)

XWorm

a version, a filepath, a mutex, a c2 socket address or a dead-drop resolver URL, and possibly cryptocurrency wallets and a Telegram URL

Link:

https://research.acce.ciphertechsolutions.com/results/242e1a99-c9eb-41b0-9a6b-da1660a356cd/

Malware family:

n/a

ID:

File name:

download2.exe

Verdict:

Malicious activity

Analysis date:

2026-03-21 13:51:11 UTC

Tags:

auto-sch auto-startup auto-reg arch-exec crypto-regex api-base64 pulsar rat xworm

Link:

https://app.any.run/tasks/42f065f1-0063-45ae-aea5-e7fcecac8175

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/58657/

Detection(s):

SecuriteInfo.com.Trojan.BtcMine.3906.3553.16541.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69bea24daacb4c376b127568

Tags:

vmdetect autorun quasar

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a window

Сreating synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Connection attempt

Creating a file in the Program Files subdirectories

Loading a suspicious library

Forced system process termination

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Enabling autorun by creating a file

Enabling threat expansion on mass storage devices

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

nitol packed tiny unsafe

Link:

https://www.filescan.io/uploads/69bfd4a8367b6bc6ee7f57d7/reports/98dc917e-517e-40f2-995b-bb74e9a092f6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a

Verdict:

Malicious

File Type:

exe x32

Detections:

HEUR:Backdoor.MSIL.XClient.b Trojan.WinLNK.Agent.fb Trojan.Win32.Vimditator.sb HEUR:Trojan-Banker.MSIL.ClipBanker.gen HEUR:Trojan.Win32.Agent.pef HEUR:Trojan.MSIL.R77.gen HEUR:HackTool.Win64.Disabler.pefng HEUR:Exploit.MSIL.BypassUAC.c Backdoor.MSIL.XWorm.a Trojan.Win32.Agent.sb HEUR:Trojan-Spy.WinLNK.Xegumumune.gen HEUR:Trojan-Dropper.Win32.Agent.gen HEUR:Trojan-Dropper.MSIL.Agent.gen HEUR:Trojan.Win32.Generic HEUR:HackTool.Win64.Disabler.gen Backdoor.MSIL.XWorm.b Backdoor.MSIL.PulsarRAT.sb Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Agent.sb PDM:Worm.Win32.Generic PDM:Trojan.Win32.Tasker.cust Trojan-Banker.MSIL.ClipBanker.sb HEUR:Exploit.MSIL.BypassUAC.gen HEUR:Backdoor.MSIL.XWorm.gen

Link:

https://opentip.kaspersky.com/93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b0cdbfde-215d-49ef-b8de-c3e7138f3e70

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a/

Verdict:

Malicious

Threat:

Family.PULSAR

Link:

https://tip.neiki.dev/file/93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a

Threat name:

Win32.Dropper.Dapato

Status:

Malicious

First seen:

2026-03-21 13:51:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=soximczu26cct7j7ifamwlfbhg7nfh5a7aozttjv3tupqaslb4fa._file

Verdict:

malicious

Label(s):

xworm

quasarrat

AsyncRAT

4077650d26e922bd7751ad46759b96612bde298e66fbb6235dd08da9280d2370

AsyncRAT

9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e

AsyncRAT

d356b8c6b75a1749f6100920d7317b09f5cead0fd21e4379b741a47548072f2b

AsyncRAT

dda8c6a69e8501ae0e368a93ed9c4098c0fb22bbc647cf4e6a7ffd6a7c0e9016

AsyncRAT

+ 546 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:customerloader family:defendnot family:quasar family:xworm botnet:cs2 defense_evasion discovery downloader execution hacktool loader persistence rat spyware trojan

Link:

https://tria.ge/reports/260322-nrtl5sbv2s/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Adds Run key to start application

Obfuscated Files or Information: Command Obfuscation

Checks computer location settings

Drops startup file

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Customer Loader

Customerloader family

Defendnot

Defendnot family

Detect Xworm Payload

Detects Defendnot

Quasar RAT

Quasar family

Quasar payload

Xworm

Xworm family

Malware Config

C2 Extraction:

94.154.32.93:4782
94.154.32.93:7000

Unpacked files

SH256 hash:

93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a

MD5 hash:

d7dbbca5cdbf29a6c5262dd03dd90be4

SHA1 hash:

881b9429acc6d3c48699efeb2210d7755a7df82d

Link:

https://www.unpac.me/results/939fe88c-a185-44e6-9be4-284c15ef555f/

SH256 hash:

324913605c99f61689635c6e58dee8a1f874c25688d73c150ac19f581f9c2028

MD5 hash:

e0a9ab3ee4df1a261af22eee00450772

SHA1 hash:

276b45e8dd2ebd62ed8f40ed08c77d3a45532f07

Detections:

win_xworm_a0

win_xworm_w0

XWorm

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/939fe88c-a185-44e6-9be4-284c15ef555f/

Parent samples :

324913605c99f61689635c6e58dee8a1f874c25688d73c150ac19f581f9c2028
93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a

SH256 hash:

32ddcc8ec426baf56816514447c6cef2ef81b20b145946e7533401d3eb0ca929

MD5 hash:

ff508c605092d6aaf88651c4406162fb

SHA1 hash:

6986dd0dc239754ae457da779f065d70335190a5

Link:

https://www.unpac.me/results/939fe88c-a185-44e6-9be4-284c15ef555f/

SH256 hash:

be27cc8b9ca1d80e2383b152992eff38dc18f41c182ad42cfbf7707407fb9e3e

MD5 hash:

a1e18fed4561874a83fda9718abef101

SHA1 hash:

964094540124c5bf1daa2ba539cbc992ddb3ac36

Detections:

QuasarRAT

cn_utf8_windows_terminal

malware_windows_xrat_quasarrat

MAL_QuasarRAT_May19_1

Gen_Base64_EXE

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Link:

https://www.unpac.me/results/939fe88c-a185-44e6-9be4-284c15ef555f/

Parent samples :

be27cc8b9ca1d80e2383b152992eff38dc18f41c182ad42cfbf7707407fb9e3e
93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a

SH256 hash:

1c1a49dc957ade033bd60dca58db3cc2221bd71bab7a20ab4f5009e98f13ff29

MD5 hash:

a70c5dc135347dde470f1e5b7edb4411

SHA1 hash:

e85c560a6aa24e2c64ad2a74b995a7316e8e8958

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

HKTL_NET_GUID_Quasar

Link:

https://www.unpac.me/results/939fe88c-a185-44e6-9be4-284c15ef555f/

Parent samples :

9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e
acf4e409f279deff4fde7ea4457d2a3a126d7602d32058188727c60318a8086d
93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a
7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1
ee099bf393e389aa3bee9310c2d8b3dfd9b66df71a22a40574583555ad7261dc

SH256 hash:

d5235265564f0bfd23b7279d7bdccc9ea6383ed07c5d0bfdf6c99029af9a2c0c

MD5 hash:

1d3dd9fcc077e6b4f88c05b9aef53ee6

SHA1 hash:

12b33858bc84f54b8aa8dbcb5a0ec2da043a6f66

Link:

https://www.unpac.me/results/939fe88c-a185-44e6-9be4-284c15ef555f/

SH256 hash:

4c9615496970ea84320e2a6e99f8fb828e3c7790384df5585d93fc368885d94e

MD5 hash:

50e6524b7ee9c2c93f5210b63cb1ca54

SHA1 hash:

3e296ec3bb24750833ea80515e6fb4c73874c91a

Link:

https://www.unpac.me/results/939fe88c-a185-44e6-9be4-284c15ef555f/

SH256 hash:

ceed689891874eed41295189b2db3c187aabcfc90add5a1d2af96f078bcb4811

MD5 hash:

026a5bafe4ac686c01e9d56e00a87ab1

SHA1 hash:

a6ff2228e8114a2b4040d0ca137c4b544ff034f4

Link:

https://www.unpac.me/results/939fe88c-a185-44e6-9be4-284c15ef555f/

SH256 hash:

5012d7cab74e4d5bd9fdd298d05ae5d51442e66d426e5859beb9a513ad1acae4

MD5 hash:

79331ea5a83291a3f45014f126c5176f

SHA1 hash:

d60daf9acaacbeb3def349c76f236df1460a4797

Link:

https://www.unpac.me/results/939fe88c-a185-44e6-9be4-284c15ef555f/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/93ae860b34d7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/58657/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample