MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a433969defb81ea6d336e2238b79d87d766be92fbc943792686747cecef98bf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a433969defb81ea6d336e2238b79d87d766be92fbc943792686747cecef98bf7
SHA3-384 hash: 77499fff4272abe5419cc0618f76371ad2dfc28a876bafc367e5ca33d6111a5dc137779e9e79590a10a401b061b2e2e3
SHA1 hash: 4b2264555b0b612a71dd16a6164de50fa12c5c16
MD5 hash: ca3c89c340a55b727fba1a1009cd0c0c
humanhash: kitten-kitten-green-sodium
File name:dsl.exe1
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:640'520 bytes
First seen:2025-03-22 16:14:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:1UNPINJ9m1rZsxyGUxY2xhXZnme6rOAimHkR:iNPmCNoZ12xhXVurOuS
Threatray 2'438 similar samples on MalwareBazaar
TLSH T1E3D4F1E13790E652D4244B71D1A7EBBE0733BD1EA650CB4761CCFDAB3A723502409B9A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 32f4c48cceecf0b1 (1 x XWorm, 1 x AsyncRAT)
Reporter KatzenTech
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
380
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dsl.exe1
Verdict:
Malicious activity
Analysis date:
2025-03-22 16:16:41 UTC
Tags:
remote xworm
Link:
https://app.any.run/tasks/50fabbb0-7bc7-4562-bbaf-88713517b80d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dee1e2518d210202e7f273
Tags:
virus krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature masquerade obfuscated packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/67dee1d1e05c48ec61e61ddc/reports/62fc450e-5772-47b3-bd67-e367989fff21/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a433969defb81ea6d336e2238b79d87d766be92fbc943792686747cecef98bf7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43f5f9c8-52a3-4285-96b4-eedf84cb8701
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1645819
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645819 Sample: dsl.exe1.exe Startdate: 22/03/2025 Architecture: WINDOWS Score: 100 46 httpss.myvnc.com 2->46 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 11 other signatures 2->54 8 dsl.exe1.exe 7 2->8         started        12 SDUKOwd.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\SDUKOwd.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp8DD2.tmp, XML 8->40 dropped 42 C:\Users\user\AppData\...\dsl.exe1.exe.log, ASCII 8->42 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Adds a directory exclusion to Windows Defender 8->60 14 powershell.exe 23 8->14         started        17 dsl.exe1.exe 2 8->17         started        20 schtasks.exe 1 8->20         started        22 dsl.exe1.exe 8->22         started        62 Multi AV Scanner detection for dropped file 12->62 24 schtasks.exe 1 12->24         started        26 SDUKOwd.exe 12->26         started        28 SDUKOwd.exe 12->28         started        signatures6 process7 dnsIp8 64 Loading BitLocker PowerShell Module 14->64 30 WmiPrvSE.exe 14->30         started        32 conhost.exe 14->32         started        44 httpss.myvnc.com 193.183.217.71, 1907, 49724 TELIANETTeliaCarrierEU Sweden 17->44 34 conhost.exe 20->34         started        36 conhost.exe 24->36         started        signatures9 process10
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a433969defb81ea6d336e2238b79d87d766be92fbc943792686747cecef98bf7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a433969defb81ea6d336e2238b79d87d766be92fbc943792686747cecef98bf7/
Threat name:
ByteCode-MSIL.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2025-03-18 16:19:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uqzznhppxapknuzw4iryw6oypv3gx2jpxskdpetim5d45txzrp3q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
xworm
Create hunting rule
Similar samples:
1728272602fae724ae826f2a53bcfdb2f82200d329771445cab7380d62a883d6
AsyncRAT
49cd0288b2330341cf16b3d8566f046c367e1f20c38090dab0ab794b740e1036
AsyncRAT
595e9098c3748bee87937fb4d8fd6620891926c9e9077299687428d4f48140f9
AsyncRAT
e56837db56867e394ea649124f410a11c9086df6476ce168e6943376ae6c89b9
AsyncRAT
+ 2'428 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/250322-tpqelazqv9/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
httpss.myvnc.com:1907
Gathering data
Unpacked files
SH256 hash:
a433969defb81ea6d336e2238b79d87d766be92fbc943792686747cecef98bf7
MD5 hash:
ca3c89c340a55b727fba1a1009cd0c0c
SHA1 hash:
4b2264555b0b612a71dd16a6164de50fa12c5c16
Link:
https://www.unpac.me/results/32131f33-4706-4eff-8721-488f8bcb227e/
SH256 hash:
aac195a64bca25118d6b9d2e046c2102725ff63429e8010e9a0f6e585a9a8a57
MD5 hash:
04bf130010d0a7b9bbcc284a5aa7cb77
SHA1 hash:
887d77596bff2578431244482fd97bc38ac62511
Link:
https://www.unpac.me/results/32131f33-4706-4eff-8721-488f8bcb227e/
SH256 hash:
ea9d95091c01807e2887f952eafbcb8578430a0a30aa55647f4c379bfd9ab525
MD5 hash:
765fe075e8856f578a65307c123358ec
SHA1 hash:
b08d1a68b96b6831f07498dad431e65d596dc262
Detections:
win_xworm_w0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/32131f33-4706-4eff-8721-488f8bcb227e/
Parent samples :
e56837db56867e394ea649124f410a11c9086df6476ce168e6943376ae6c89b9
a433969defb81ea6d336e2238b79d87d766be92fbc943792686747cecef98bf7
SH256 hash:
18d9e11d134ec71309c34a7fab9b7a4134b3c7663a1d56739bba579e646b4026
MD5 hash:
f69e95b716084453274d96a4bb6c3987
SHA1 hash:
f14c8aa6852cd00e747447286357490efdfeceb5
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/32131f33-4706-4eff-8721-488f8bcb227e/
Parent samples :
e56837db56867e394ea649124f410a11c9086df6476ce168e6943376ae6c89b9
a433969defb81ea6d336e2238b79d87d766be92fbc943792686747cecef98bf7
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a433969defb8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a433969defb81ea6d336e2238b79d87d766be92fbc943792686747cecef98bf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_dbae6542
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe a433969defb81ea6d336e2238b79d87d766be92fbc943792686747cecef98bf7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3487074/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments