MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a008a15a228ccb6d2ad23aa65b6ce1c2ddffa33747d63bb9770dfc85ad9a66a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash: a008a15a228ccb6d2ad23aa65b6ce1c2ddffa33747d63bb9770dfc85ad9a66a7
SHA3-384 hash: 86e34c5771c63b4d878285741375bef790a9d0fb95d158aab096a318ecdb4e1fe4b8170dc6c99f14f3a9663cf742e713
SHA1 hash: 9603d417a1c20af9cb5ddd132a777cef34bf2ce4
MD5 hash: 96b0214d01229658591dca4bc093c260
humanhash: hawaii-kentucky-orange-william
File name:a008a15a228ccb6d2ad23aa65b6ce1c2ddffa33747d63bb9770dfc85ad9a66a7
Download: download sample
Signature AsyncRAT
File size:966'152 bytes
First seen:2026-05-08 12:26:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'081 x AgentTesla, 20'056 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:N7AxGSJJSHwhR8hkqEx2bthjMZJWPVJW05q9njRqEYFd:N0xGqUwhGhFEYfqJ8W0unj63
Threatray 1'743 similar samples on MalwareBazaar
TLSH T18E25E05923A8EE01C4A75BF40870E3744BF56C589422E30B9EF6BDEFBA397016905397
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 4c8383cc832bdd4d (1 x AsyncRAT)
Reporter adrian__luca
Tags:AsyncRAT exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
97
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-05-08 13:31:25 UTC
Tags:
auto-startup susp-lnk xworm

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature lolbin packed signed snakekeylogger tracker vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-01T08:16:00Z UTC
Last seen:
2026-05-08T17:08:00Z UTC
Hits:
~100
Gathering data
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Status:
Malicious
First seen:
2026-04-01 12:10:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Malware Config
C2 Extraction:
107.172.31.107:6000
Unpacked files
SH256 hash:
a008a15a228ccb6d2ad23aa65b6ce1c2ddffa33747d63bb9770dfc85ad9a66a7
MD5 hash:
96b0214d01229658591dca4bc093c260
SHA1 hash:
9603d417a1c20af9cb5ddd132a777cef34bf2ce4
SH256 hash:
0bbee6234316c56b35d2174c49c39994a4d1e58bc84af9eb92cf705dc403454b
MD5 hash:
a6c9fc54e7842bc4aef6f5af420debd3
SHA1 hash:
60005ad68ab0509af773856ef1ad61604c13ba04
SH256 hash:
4447fe8d112e6455f2dc2764ef66df2e8b028838c99706f2c565058d08d1bac4
MD5 hash:
a12cf68b20113c7325bcdefc4dfd9fa0
SHA1 hash:
a4d8c80cfccf2e0d45299a0de1d59520a7e3ab85
SH256 hash:
44cba34c989b31fef289ae5e5f7309959f23f6b3af6e255fd01839ac58219064
MD5 hash:
04247980985994de2cce462236762d21
SHA1 hash:
8181756ea6cede87bdd8a19d10dee012fe2733f5
Detections:
win_xworm_a0 win_xworm_w0 XWorm
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments