MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af680b0ac96bd5bbdf2d9f8d67c9ba54e90d139f1c93143ef75e7f8f3b97d1da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af680b0ac96bd5bbdf2d9f8d67c9ba54e90d139f1c93143ef75e7f8f3b97d1da
SHA3-384 hash: c1e9e60b54e269b8284825a591e9cf51e3b5f1220007b32297ff0666663b3774a3d19c2714f0dd989b703d560d6185fd
SHA1 hash: e24e3f53b3d65bf80dcfd9b856b84d3db52a66c7
MD5 hash: ec3eb6e3b3d6300e1c2734f3f732c4f8
humanhash: artist-nuts-sodium-zebra
File name:GHXW0987654567800000.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:786'944 bytes
First seen:2026-06-05 06:53:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'919 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 12288:udtkwq+PV1twMCBCkk6Qt6+4vU9/GbIFgWHIn65yZbzJmRhqtalRjudF:s+wq+djwxBCkpb+yEO8qZ65yZbVEMQK
Threatray 1'574 similar samples on MalwareBazaar
TLSH T135F4016A0927C602E4A56F705DB4E2B46BB66EAFF135D02E5ECE0C6BBB633147D01350
TrID 72.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.4% (.EXE) Win64 Executable (generic) (6522/11/2)
4.4% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 60e0c2a3a3e4b292 (1 x RemcosRAT, 1 x PhantomStealer, 1 x AsyncRAT)
Reporter lowmal3
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/6a060c0a-06db-463d-886d-fbfc273c183e/
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-06-05 07:21:43 UTC
Tags:
auto-reg xworm
Link:
https://app.any.run/tasks/da2cbc50-e615-411c-9ff4-9470dddbf457

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69132/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3578.17150.19929.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a227264f8676ad4d36144af
Tags:
stration micro shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/6a22725f12da0d249c65d113/reports/25b20c54-fd65-41e8-8c92-24f4fd1ee504/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/af680b0ac96bd5bbdf2d9f8d67c9ba54e90d139f1c93143ef75e7f8f3b97d1da
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-04T02:59:00Z UTC
Last seen:
2026-06-07T05:09:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/af680b0ac96bd5bbdf2d9f8d67c9ba54e90d139f1c93143ef75e7f8f3b97d1da/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22e76e52-5c71-4f3e-90cc-0265b5c80284
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1923424
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1923424 Sample: GHXW0987654567800000.exe Startdate: 05/06/2026 Architecture: WINDOWS Score: 100 69 otelrules.svc.static.microsoft 2->69 71 otelrules-bzhndjfje8dvh5fd.z01.azurefd.net 2->71 73 4 other IPs or domains 2->73 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 15 other signatures 2->83 9 GHXW0987654567800000.exe 1 7 2->9         started        13 powershell.exe 19 2->13         started        15 powershell.exe 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 59 C:\Users\user\AppData\Roaming\PtwLWb.exe, PE32 9->59 dropped 61 C:\Users\user\...\PtwLWb.exe:Zone.Identifier, ASCII 9->61 dropped 63 C:\Users\user\AppData\...\g3omxrhexkm.ps1, ASCII 9->63 dropped 65 C:\Users\...behaviorgraphHXW0987654567800000.exe.log, ASCII 9->65 dropped 101 Creates autostart registry keys with suspicious values (likely registry only malware) 9->101 103 Creates an autostart registry key pointing to binary in C:\Windows 9->103 105 Writes to foreign memory regions 9->105 107 3 other signatures 9->107 20 MSBuild.exe 1 3 9->20         started        24 powershell.exe 23 9->24         started        26 MSBuild.exe 9->26         started        36 2 other processes 9->36 28 PtwLWb.exe 13->28         started        30 conhost.exe 13->30         started        32 PtwLWb.exe 15->32         started        34 conhost.exe 15->34         started        67 127.0.0.1 unknown unknown 17->67 file6 signatures7 process8 dnsIp9 75 192.3.171.223, 4445, 49681, 49694 AS-COLOCROSSING-HostPapaUS United States 20->75 85 Tries to steal Mail credentials (via file / registry access) 20->85 87 Tries to harvest and steal browser information (history, passwords, etc) 20->87 38 csc.exe 4 20->38         started        41 MSBuild.exe 20->41         started        89 Loading BitLocker PowerShell Module 24->89 43 WmiPrvSE.exe 24->43         started        45 conhost.exe 24->45         started        91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->91 93 Multi AV Scanner detection for dropped file 28->93 95 Writes to foreign memory regions 28->95 97 Allocates memory in foreign processes 28->97 47 MSBuild.exe 28->47         started        99 Injects a PE file into a foreign processes 32->99 49 MSBuild.exe 32->49         started        51 MSBuild.exe 32->51         started        signatures10 process11 file12 57 C:\Users\user\AppData\Local\...\MSBuild.exe, PE32 38->57 dropped 53 conhost.exe 38->53         started        55 cvtres.exe 38->55         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/af680b0ac96bd5bbdf2d9f8d67c9ba54e90d139f1c93143ef75e7f8f3b97d1da
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af680b0ac96bd5bbdf2d9f8d67c9ba54e90d139f1c93143ef75e7f8f3b97d1da/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/af680b0ac96bd5bbdf2d9f8d67c9ba54e90d139f1c93143ef75e7f8f3b97d1da
Threat name:
Win32.Trojan.PhantomStealer
Create hunting rule
Status:
Malicious
First seen:
2026-06-04 06:44:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5uawcwjnpk3xxznt6gwpsn2ktuq2e47dsjripxxlz7y6o4x2hna._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
1b4a9f2ef2c2d24a36a720931c6b6ab75de02a0680ce73e0cd80971ddd11afe1
AsyncRAT
3a444e7690f35fee4be070d0656bc7f0adab9bdcec798d5af27fc3c93e08f611
AsyncRAT
3b39da6b761aebfac6324138212fd5a6eeb89a50ef1e7b8f8a813c07ac920062
AsyncRAT
67e7b0bf057c8c7ef117be16a168833235920d0af16921ff59d0866f0d05e050
AsyncRAT
d4a68d8a848dd0af45a07168ddb2cae1598d3dff26c7e1a82d55881af058c43b
AsyncRAT
error
AsyncRAT
+ 1'564 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection discovery execution persistence rat trojan
Link:
https://tria.ge/reports/260605-hnqhesbz51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Malware Config
C2 Extraction:
192.3.171.223:4445
Unpacked files
SH256 hash:
af680b0ac96bd5bbdf2d9f8d67c9ba54e90d139f1c93143ef75e7f8f3b97d1da
MD5 hash:
ec3eb6e3b3d6300e1c2734f3f732c4f8
SHA1 hash:
e24e3f53b3d65bf80dcfd9b856b84d3db52a66c7
Link:
https://www.unpac.me/results/73affc5a-1fca-406c-b9e6-00c4f220d9d9/
SH256 hash:
53621628353329b35f1fc4ee995b6ee43ad8bbf6a21956ff6e620b05a1ede650
MD5 hash:
a41d901f83b125d1b6db34d7e9f0f90d
SHA1 hash:
22b4f6c860b6080f59607bb6811ecc41eb766929
Link:
https://www.unpac.me/results/73affc5a-1fca-406c-b9e6-00c4f220d9d9/
SH256 hash:
78c7afbcad01022d73475726e6249c3f6dfefd746af7022207e5ef8a33e4987e
MD5 hash:
b6b94ebf8592f40a76514c647499d7c6
SHA1 hash:
686d14b9af8ec15dc9bdac5b77a46cc1ca984f15
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
Link:
https://www.unpac.me/results/73affc5a-1fca-406c-b9e6-00c4f220d9d9/
SH256 hash:
bcd25f42f2e78848767f4808c71a1a2e3e82b87c46c3eebca79270175fff78f8
MD5 hash:
05014473837208e45374c27937bf2fd8
SHA1 hash:
752f1582c5d5f21c4966e73b9ed2719a87b076e8
Link:
https://www.unpac.me/results/73affc5a-1fca-406c-b9e6-00c4f220d9d9/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af680b0ac96b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af680b0ac96bd5bbdf2d9f8d67c9ba54e90d139f1c93143ef75e7f8f3b97d1da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Runtime_Broker_Variant_1
Create hunting rule
Author:Sn0wFr0$t
Description:Detecting malicious Runtime Broker
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe af680b0ac96bd5bbdf2d9f8d67c9ba54e90d139f1c93143ef75e7f8f3b97d1da

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69132/

Comments