MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 10 File information Comments

SHA256 hash:	a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a
SHA3-384 hash:	22df03e834a4583d31d946b5693612720195bb9026094fde55b200d7eddbf55880b85deb679962a474d1bb27249e754e
SHA1 hash:	f1181dbc0a9134dfdda43dbacd498eb89aba002a
MD5 hash:	10772936db74d8871f828ba83497890c
humanhash:	asparagus-earth-march-april
File name:	37xk8o44.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	416'140 bytes
First seen:	2025-11-29 04:10:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	75d930149d98b9b34c55459c6a79b293 (30 x XWorm, 12 x AsyncRAT)
ssdeep	6144:P+GYnA0zeWiDi5eJHQ8kV3f+RysMFZzN/EOtbMrtE8sNrwY:/YkDi5eJQ7uysMFZzN/dmBm11
TLSH	T18D947C16F79408FDD497C57489924546DA397C8E1B71EEEF1798422A2F237F08E39B20
TrID	49.9% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.6% (.EXE) OS/2 Executable (generic) (2029/13) 9.5% (.EXE) Generic Win/DOS Executable (2002/3) 9.4% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	amznemu
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

37xk8o44.exe

Verdict:

No threats detected

Analysis date:

2025-11-29 04:44:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/972b85d8-a329-45e1-8dcc-f6652d4eba4f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/41762/

Detection(s):

Win.Packed.njRAT-10002074-1

Win.Packed.Msilzilla-10019837-0

Win.Packed.Loveletter-10023052-0

Win.Packed.Loveletter-10024677-0

Win.Packed.Msilzilla-10026193-0

Win.Trojan.Malwarex-10056560-0

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL

ditekSHen.MALWARE.Win.XWorm.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692a72666cb1dcd577823f6d

Tags:

asyncrat dropper micro remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a process from a recently created file

Enabling the 'hidden' option for recently created files

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 fingerprint microsoft_visual_cc obfuscated reconnaissance xworm

Link:

https://www.filescan.io/uploads/692a72682cd29ea630031ceb/reports/6e056988-bb44-4a77-ba80-89f0f04f9c32/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-29T00:35:00Z UTC

Last seen:

2025-11-29T09:20:00Z UTC

Hits:

~10

Detections:

HEUR:Backdoor.MSIL.XWorm.gen HEUR:Backdoor.MSIL.XClient.b HEUR:Backdoor.MSIL.Convagent.gen VHO:Trojan.Win32.GenericML.xnet Trojan.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cd9a8d2f-8538-4cd1-94d7-2c1c06b97648

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a

Verdict:

XWorm

YARA:

7 match(es)

Tags:

.Net Executable PE (Portable Executable) PE Memory-Mapped (Dump) RAT XWorm

Link:

https://app.malva.re/file/10772936db74d8871f828ba83497890c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a

Threat name:

Win64.Backdoor.Xworm

Status:

Malicious

First seen:

2025-11-29 04:11:18 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

28 of 37 (75.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uldz5wpiy33pcqyyfnzlyzjezdlcu6xr563jooxv5tsg7lei5nna._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm persistence rat trojan

Link:

https://tria.ge/reports/251129-er24vavpen/

Behaviour

Modifies registry class

Suspicious use of WriteProcessMemory

Executes dropped EXE

Modifies system executable filetype association

Detect Xworm Payload

Xworm

Xworm family

Verdict:

Malicious

Tags:

rat xworm Win.Packed.njRAT-10002074-1

YARA:

win_mal_XWorm MALWARE_Win_XWorm

Link:

https://app.threat.zone/submission/d8dbc14f-2f32-4445-bdfb-4401811a0829

Unpacked files

SH256 hash:

a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a

MD5 hash:

10772936db74d8871f828ba83497890c

SHA1 hash:

f1181dbc0a9134dfdda43dbacd498eb89aba002a

Link:

https://www.unpac.me/results/ec16d788-0620-41be-aba1-eb1d7717a431/

SH256 hash:

8b7e5402ef6a77a783a3f85fba0bc3a9ad60ac1ff56ad7172e3f96b9a60e3e6f

MD5 hash:

8887d55cb4b87cb60053aad9f813910b

SHA1 hash:

ffccc4bfa81bdb0e46d19d3b4119f45545891a95

Detections:

XWorm

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/ec16d788-0620-41be-aba1-eb1d7717a431/

Parent samples :

1402524dbcd6c8954d300e96227954f8797e125ee533b69ddc64ca54cae35d05
a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a
c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569
fc95e50c1ca3372bb4b9dbded1bbf67b72626948f358d8c24bba7835011b14fe

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/41762/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample