MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990
SHA3-384 hash: af26080d576198eb3b699907fd14c25a1cfc1c8ef0f5aba4f45104db6ff1938a08d791a9878bb9d07ebab838c91d8d72
SHA1 hash: 3f0ebab552b29fdbcfe608d6f4ac89c3475bf27f
MD5 hash: b7847dfb1a5704b43c5d9369844898e5
humanhash: football-princess-delta-michigan
File name:purchase order-385032.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:857'088 bytes
First seen:2026-04-15 11:35:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'912 x AgentTesla, 19'819 x Formbook, 12'309 x SnakeKeylogger)
ssdeep 12288:2QwqwhbgzThjUfCoQq9mDX6jAt5GWN/I+PE7PRRLS4gslKeo9XGNM4sXL6mLJMQ:2hXMTJJo196eAt5lN/9PE/Llxo1FtJ
Threatray 114 similar samples on MalwareBazaar
TLSH T13505121D129CDB0AC6AA1BF468B0C2B41B786D4CF860E957EFD37EDBB8367149418316
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/df700d95-d2ac-4529-9e7f-53853df46c79/
Malware family:
n/a
ID:
1
File name:
purchase order-385032.bat
Verdict:
Malicious activity
Analysis date:
2026-04-15 11:37:58 UTC
Tags:
auto-startup xworm remote susp-lnk
Link:
https://app.any.run/tasks/e5c8afb9-c49d-4601-8c37-00d72320d78c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/61732/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69df782bf68adfe1003a08f4
Tags:
autorun shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Launching a process
Connection attempt to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context lolbin masquerade packed tracker vbnet
Link:
https://www.filescan.io/uploads/69df782b5ea31bc68a2cb357/reports/a4e6f5be-e3e5-455b-8f8b-9cb785bb1331/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-15T05:44:00Z UTC
Last seen:
2026-04-17T07:58:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Stealer.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Backdoor.MSIL.XWorm.gen Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.XWorm.c VHO:Backdoor.Win32.Agent.gen Trojan.MSIL.Dnoper.sb Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.b Backdoor.MSIL.XWorm.a
Link:
https://opentip.kaspersky.com/a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/092a23c5-b9ae-47dd-b1ec-5a0657d05f1c
Result
Threat name:
KeyLogger, Phantom stealer, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1898648
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Executable File Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows shortcut file (LNK) contains suspicious command line arguments
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Keylogger Generic
Yara detected Phantom stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1898648 Sample: purchase order-385032.bat.exe Startdate: 15/04/2026 Architecture: WINDOWS Score: 100 101 keyauth.win 2->101 109 Suricata IDS alerts for network traffic 2->109 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 26 other signatures 2->115 11 purchase order-385032.bat.exe 8 2->11         started        15 powershell.exe 2->15         started        17 powershell.exe 15 2->17         started        signatures3 process4 file5 93 C:\Users\user\AppData\Roaming\InyfCUYKl.exe, PE32 11->93 dropped 95 C:\Users\...\InyfCUYKl.exe:Zone.Identifier, ASCII 11->95 dropped 97 C:\Users\user\AppData\...\utrtgygd2xs.ps1, ASCII 11->97 dropped 99 C:\...\purchase order-385032.bat.exe.log, ASCII 11->99 dropped 135 Found many strings related to Crypto-Wallets (likely being stolen) 11->135 137 Adds a directory exclusion to Windows Defender 11->137 139 Injects a PE file into a foreign processes 11->139 19 purchase order-385032.bat.exe 2 18 11->19         started        24 powershell.exe 23 11->24         started        26 UFquPtPFnOzZsx.exe 15->26         started        28 conhost.exe 15->28         started        30 InyfCUYKl.exe 17->30         started        32 conhost.exe 17->32         started        signatures6 process7 dnsIp8 103 147.124.213.101, 1985, 49691 AC-AS-1US United States 19->103 89 C:\Users\user\AppData\...\XWormClient.exe, PE32 19->89 dropped 91 C:\Users\user\AppData\Local\Temp\imubwy.bat, PE32 19->91 dropped 125 Loading BitLocker PowerShell Module 19->125 34 imubwy.bat 19->34         started        38 csc.exe 19->38         started        40 purchase order-385032.bat.exe 19->40         started        42 WmiPrvSE.exe 19->42         started        44 conhost.exe 24->44         started        127 Antivirus detection for dropped file 26->127 129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->129 131 Injects a PE file into a foreign processes 26->131 46 UFquPtPFnOzZsx.exe 26->46         started        133 Multi AV Scanner detection for dropped file 30->133 48 InyfCUYKl.exe 30->48         started        file9 signatures10 process11 file12 81 C:\Users\user\AppData\...\UFquPtPFnOzZsx.exe, PE32 34->81 dropped 83 C:\Users\user\AppData\...\2jbo5o3bxcj.ps1, ASCII 34->83 dropped 117 Antivirus detection for dropped file 34->117 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->119 121 Found many strings related to Crypto-Wallets (likely being stolen) 34->121 123 2 other signatures 34->123 50 imubwy.bat 34->50         started        53 powershell.exe 34->53         started        85 C:\Users\...\purchase order-385032.bat.exe, PE32 38->85 dropped 55 conhost.exe 38->55         started        57 cvtres.exe 38->57         started        87 C:\...\purchase order-385032.bat.exe.log, CSV 40->87 dropped 59 cmd.exe 46->59         started        signatures13 process14 signatures15 105 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 50->105 61 cmd.exe 50->61         started        107 Loading BitLocker PowerShell Module 53->107 63 conhost.exe 53->63         started        65 conhost.exe 59->65         started        67 chcp.com 59->67         started        69 taskkill.exe 59->69         started        71 timeout.exe 59->71         started        process16 process17 73 conhost.exe 61->73         started        75 chcp.com 61->75         started        77 taskkill.exe 61->77         started        79 timeout.exe 61->79         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990
Threat name:
ByteCode-MSIL.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2026-04-15 11:36:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzog67rwuj2eaksawpowo3kq5uafaw6h47a6ynh26heix3twzgia._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
030967003eace6864210b5ac969bd55e91eda783aa60869fe6ff6dae00ee9c96
AsyncRAT
06319316c7d3da0881bcf83a4509a9dd15fa4765228240b0d4c7684df40aa99d
AsyncRAT
4d598bafdcea52627cc45652e78ba810026ecbcc63a36d026733ee4ff3daf4d0
AsyncRAT
8d6c9a0ee15669f2b8e2ffe7990de7bcedac26f28f5adb4578482252e43b48ea
AsyncRAT
a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990
AsyncRAT
error
AsyncRAT
+ 104 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer family:xworm collection defense_evasion discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260415-nqndqscy3q/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Detects PhantomStealer written in C#
Family: PhantomStealer
Family: Xworm
Malware Config
C2 Extraction:
147.124.213.101:1985
https://api.telegram.org/bot8694435716:AAF1wqJMTpVT-ehPqWh6vxML-mTtyi-RCos/sendMessage?chat_id=8774497415
Unpacked files
SH256 hash:
a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990
MD5 hash:
b7847dfb1a5704b43c5d9369844898e5
SHA1 hash:
3f0ebab552b29fdbcfe608d6f4ac89c3475bf27f
Link:
https://www.unpac.me/results/130ef69d-50b6-46c3-b50c-aa7321f4c8a2/
SH256 hash:
ffdda6fcf5f93bb0156cd0b98b4b80db2972a3c0b40fe095d68e0b58acaa26c6
MD5 hash:
b43c5ef015ed1a984a6b9958de058b0b
SHA1 hash:
066b4010b4307b5fc5ec33cafa90d96d6eeb9144
Link:
https://www.unpac.me/results/130ef69d-50b6-46c3-b50c-aa7321f4c8a2/
SH256 hash:
b19f75067ddc24abe3fe5959888b6e8003e161807789f90581d10720e67a6e7a
MD5 hash:
875ca1b8b717d00c477882c5bbed2894
SHA1 hash:
0f60dfa378122629711043c08c9a544c3a4c60c1
Detections:
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/130ef69d-50b6-46c3-b50c-aa7321f4c8a2/
Parent samples :
ad49daecf36c736fc7db65a547e2fd0756c69847778638edb6b1f7bd16a5310e
a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990
64268aabb05ab23b0e746311547591818ac496ff355ab8f158645a5060a94f2f
6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847
993d9460098137391a6f1775c070d535c47138a06a88c2c5250c99b79f28dca8
SH256 hash:
1f7608af86e1269229cb0491b44313c2825405b69b7d4d7b30cc747cd1a47a2d
MD5 hash:
cc572a9507a1405aef39d5e144a4d33a
SHA1 hash:
474c93c46dc00d84fa47c6a1fdef9320f94c2273
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/130ef69d-50b6-46c3-b50c-aa7321f4c8a2/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a65c6f7e36a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/61732/

Comments