MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5
SHA3-384 hash: 329016b59fa7fe5198314fc6c25ab4482bffa7b71254b6a43d498c100a8659c44fa2456d4d43e9630dbae6f46e34acf4
SHA1 hash: 41951ef43f0b03e93b9c0581855df8e16fd8868d
MD5 hash: 99282d950953cc59d026050dbe94fb39
humanhash: alaska-kansas-kilo-uncle
File name:1.VGM - CFS.DOCX - HBL#7809108109CLS-121 SO#3081PLCL shipment.PDF.scr
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:721'920 bytes
First seen:2026-01-20 08:13:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:5s6At49gawce/VXdRPCG3cbzVTbIk0+L+RB9X9y7hq:5sihI/oG3cbzV3VbC7
TLSH T12DE4F11427D9CA03D8B72BF50975E33617B4BE9AE810C31A8EE9BCDB3434B409994797
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5abd0e07-10e5-4178-9781-e2bd21001513/
Malware family:
n/a
ID:
1
File name:
1.VGM - CFS.DOCX - HBL#7809108109CLS-121 SO#3081PLCL shipment.PDF.scr
Verdict:
Malicious activity
Analysis date:
2026-01-20 08:15:45 UTC
Tags:
remote xworm
Link:
https://app.any.run/tasks/0de99418-9eb3-4c41-a6bd-3b07555ebb0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49483/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696f3964bcad3327ec06b15f
Tags:
autorun dropper micro virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer krypt lolbin masquerade packed regedit runonce
Link:
https://www.filescan.io/uploads/696f396255805a763fea4258/reports/a6f3a320-266e-4d93-bfe1-dfb3e45d5363/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-20T04:26:00Z UTC
Last seen:
2026-01-22T03:58:00Z UTC
Hits:
~1000
Detections:
BSS:Trojan.Win32.Badex.c2 Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.XWorm.c HEUR:Backdoor.MSIL.Remcos.gen BSS:Trojan.Win32.Generic BSS:Trojan.Win32.Badex.c Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.b
Link:
https://opentip.kaspersky.com/a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f7000a3-a969-4063-b480-a504518c249c
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1853790
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.42 Win 32 Exe x86
Link:
https://app.malva.re/file/99282d950953cc59d026050dbe94fb39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2026-01-20 07:38:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vabyaiih6pxbgkacebeckejmguchbfi3ou6ywsh4c6ed3xzf4ssq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery rat trojan
Link:
https://tria.ge/reports/260120-j47x3sdw8e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Drops startup file
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
172.94.15.100:6070
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6373e423-2e88-48e0-a006-236c765cbdae
Unpacked files
SH256 hash:
a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5
MD5 hash:
99282d950953cc59d026050dbe94fb39
SHA1 hash:
41951ef43f0b03e93b9c0581855df8e16fd8868d
Link:
https://www.unpac.me/results/6154b8a8-4b7d-493b-bd4f-b0470b931da3/
SH256 hash:
652cdcef6db20115c4aa09c2ac8db67b581c32bac2cf9be79fbb4d115b48872b
MD5 hash:
ca6a4457fb351cc529ba1f0373b15d81
SHA1 hash:
7ad894f38803ac957515a16813181b5e61112958
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6154b8a8-4b7d-493b-bd4f-b0470b931da3/
SH256 hash:
d4c5416bc2a5af3b1774ff39cb97559b60e9637b65e202e9d35cf1693f3ce471
MD5 hash:
6767996995d8a605a650adfb85503744
SHA1 hash:
b94096e4454ad8f0279c329b5a00a4578363d8d8
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/6154b8a8-4b7d-493b-bd4f-b0470b931da3/
Parent samples :
c6aa56afa7a6941d9bb8786b07e192ea996d3a133c992285b58349cc5c204561
bf46723d199408eb636dfbb7d50ef97fad7c96be7aedca35fa350c92a7492a4e
44ece3fd771b241e7adb7b8a46317aa0dce39aa4b815912805de4dc6ff631ae4
5f947957f8b2c4cc8609167eaec826c9855e15c55dac3926c33b2a0c003cf773
a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5
a3c7847164f2c9a18c8c6bed01241b84fffbd6d866195e92f556ba0a596d0428
5c0bdefeb2e965c9cb1aa42e28b84b31e11693b4438c47e97be98fb1b496d940
6a6af729bcfe6c368c81300a7b3f078b6077b365d7dad49b9c0bc4d1ee3f71b2
fada71925be3d53eee961507cb43bc2ee409d406770c7ddb7f2f06afae85a456
SH256 hash:
7b85dff2263d08ce6e5ea4976979e8f81ccc71c437d1ea50998f199f40be5d7f
MD5 hash:
42168ddde847c9e587c65ad5ccc4e60d
SHA1 hash:
e18d250c34791ec1ee87d951ee85e3a93357ebe0
Detections:
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/6154b8a8-4b7d-493b-bd4f-b0470b931da3/
Parent samples :
a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5
9ceb01ca3ce5aa4bbac88914dd7a914483035ec7fe5011e007b251385b76a3bf
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a803802107f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe a803802107f3ee132802204825112c350470951b753d8b48fc17883ddf25e4a5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/49483/

Comments