MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a10b4888477eaa3477961ff86451fde88d6581c198ff2bd010dea532a063922b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a10b4888477eaa3477961ff86451fde88d6581c198ff2bd010dea532a063922b
SHA3-384 hash: d3e5259d219867d96d021c817b2d139dfd71760e8f376a25852ea378d06e1b5de6ab9c0d3b299aceae84e7473a0ffcdd
SHA1 hash: 9505154a0161e92ddc0dd7a2ccfb443ac483d86b
MD5 hash: 6f95fa7d779c559b7b8a6f15d23ee833
humanhash: sodium-chicken-don-cat
File name:z123_0406_RM_RfQFluidSystem.scr
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:706'056 bytes
First seen:2025-05-07 07:00:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:wK3nWLhUWRzI211b0drG0onQx6WCPi+P7HWRm5iYGBQSkR:wYnyUWqA0dix//Ywa6
Threatray 285 similar samples on MalwareBazaar
TLSH T1B1E4E0146268AF52D87A9BF405A0E5302BF12E1FD569E3560FDA6CDFB860F401F18B93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 79d4c8a8d4e87190 (3 x AgentTesla, 2 x Formbook, 1 x Loki)
Reporter FXOLabs
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
428
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z123_0406_RM_RfQFluidSystem.scr
Verdict:
Malicious activity
Analysis date:
2025-05-07 07:03:23 UTC
Tags:
auto-startup remote xworm
Link:
https://app.any.run/tasks/b6722c4e-1435-4ece-a18f-7fd8d73d8460

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3223.326.30698.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681b05596c95617a27b5abe9
Tags:
autorun kryptik virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Forced shutdown of a system process
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature obfuscated packed packer_detected signed vbnet
Link:
https://www.filescan.io/uploads/681b05360b64e174c41b6e54/reports/71e50421-57d8-4941-b7b0-fe01573dc289/overview
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/a10b4888477eaa3477961ff86451fde88d6581c198ff2bd010dea532a063922b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a3fe65e-578a-4d3c-9f90-4cfe2aad78ff
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1682949
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1682949 Sample: z123_0406_RM_RfQFluidSystem... Startdate: 07/05/2025 Architecture: WINDOWS Score: 100 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 12 other signatures 2->59 7 z123_0406_RM_RfQFluidSystem.scr.exe 7 2->7         started        11 wpvoTjvAzs.exe 5 2->11         started        13 svchost.exe 1 1 2->13         started        process3 dnsIp4 41 C:\Users\user\AppData\...\wpvoTjvAzs.exe, PE32 7->41 dropped 43 C:\Users\...\wpvoTjvAzs.exe:Zone.Identifier, ASCII 7->43 dropped 45 C:\Users\user\AppData\Local\...\tmp61AE.tmp, XML 7->45 dropped 47 z123_0406_RM_RfQFluidSystem.scr.exe.log, ASCII 7->47 dropped 65 Uses schtasks.exe or at.exe to add and modify task schedules 7->65 67 Writes to foreign memory regions 7->67 69 Allocates memory in foreign processes 7->69 71 Adds a directory exclusion to Windows Defender 7->71 16 RegSvcs.exe 6 7->16         started        21 powershell.exe 23 7->21         started        23 schtasks.exe 1 7->23         started        73 Multi AV Scanner detection for dropped file 11->73 75 Injects a PE file into a foreign processes 11->75 25 schtasks.exe 11->25         started        27 RegSvcs.exe 11->27         started        29 SIHClient.exe 11->29         started        51 127.0.0.1 unknown unknown 13->51 file5 signatures6 process7 dnsIp8 49 185.174.102.173, 49719, 7030 ASN-QUADRANET-GLOBALUS Ukraine 16->49 39 C:\Users\user\AppData\Roaming\XClean.exe, PE32 16->39 dropped 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->61 63 Loading BitLocker PowerShell Module 21->63 31 conhost.exe 21->31         started        33 WmiPrvSE.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a10b4888477eaa3477961ff86451fde88d6581c198ff2bd010dea532a063922b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a10b4888477eaa3477961ff86451fde88d6581c198ff2bd010dea532a063922b/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-05-07 06:59:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uefurcchp2vdi54wd74giup55cgwlaobtd7sxuaq32stfiddsivq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
038f5306f2e0a321feed92789bb34b382def8f7e67a38cb924e1e508934a5c74
AsyncRAT
0ba74e4e09ceb57eaa496190d358878745ce81fa0ba6a1834948ab558a058b10
AsyncRAT
265047bb3b17c31db8680e5dc97255cfc147e02f730db48a6852cf403033ea69
AsyncRAT
2c94e0937726b8c53f46350c17b50abb816f720708055e92a097c796a9970f01
AsyncRAT
error
AsyncRAT
+ 275 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/250507-hs86bsx1bt/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
185.174.102.173:7030
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e2af9ef5-678f-473a-b909-a4a09a545552
Unpacked files
SH256 hash:
a10b4888477eaa3477961ff86451fde88d6581c198ff2bd010dea532a063922b
MD5 hash:
6f95fa7d779c559b7b8a6f15d23ee833
SHA1 hash:
9505154a0161e92ddc0dd7a2ccfb443ac483d86b
Link:
https://www.unpac.me/results/3b32d074-970d-461c-b080-fd731e4d8b8b/
SH256 hash:
210f2bd3576d1ab8d160a9e772b5227cd39edda8d8648d04e204e3807caf1865
MD5 hash:
55ed625639f59da4600a7084e7a16615
SHA1 hash:
24c9dd20f6835f4e4d5f8dc66ac176a6d3a03664
Detections:
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/3b32d074-970d-461c-b080-fd731e4d8b8b/
SH256 hash:
6a8728bdf199cb2fe3a63cb8a2e6657e70214f046b08d9f0c2ed57100f24dd50
MD5 hash:
8345e6fb7d3b4fa69ac397f10e6c1d41
SHA1 hash:
71b04645f3813278737d63e0abd0acc4ec7a9bd2
Link:
https://www.unpac.me/results/3b32d074-970d-461c-b080-fd731e4d8b8b/
SH256 hash:
33e18c00e50d8eb9a68fe6abd0ef3f7b35b733b72755cfa144cab414636bc888
MD5 hash:
1f660d0d5a2baf44b6556095c1884f6b
SHA1 hash:
dd6bc34b85a0a3407e9406630d9131280976df73
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3b32d074-970d-461c-b080-fd731e4d8b8b/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a10b4888477e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a10b4888477eaa3477961ff86451fde88d6581c198ff2bd010dea532a063922b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe a10b4888477eaa3477961ff86451fde88d6581c198ff2bd010dea532a063922b

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments