MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1b2ce043a42e8a9fd97d478bf86776103b2be910dfcff97e7d9ce6378e7701e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1b2ce043a42e8a9fd97d478bf86776103b2be910dfcff97e7d9ce6378e7701e
SHA3-384 hash: bf1e32a8219cf30446db9d2c2dfdb890122db82a31c838ebfc44b875083312db42654ab30acf8844bdb046e528bab0e5
SHA1 hash: 8cacd12ab5c7695626d67d4d5bc13c7510217039
MD5 hash: d89940de135aefb14006171ce9583685
humanhash: virginia-utah-april-illinois
File name:xenoexecutorexe.EXE
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:89'849'856 bytes
First seen:2026-06-24 11:18:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9da7080b9b697496fd4f41997e8bd436 (1 x INC, 1 x HVNC, 1 x RemcosRAT)
ssdeep 1572864:HgetfL93x0KUSKqq3h0EL86eaSKkeFkEX5UYc4N6JJ90bgkJVxtIK96iYG:HgEblkh0EL8Ip77X5dc4N6z90U2Vj+ir
Threatray 44 similar samples on MalwareBazaar
TLSH T1101833504348C614F254D735BCE1A3C3D122B6E7CBA973FB2967CA6BD957AC88A30E44
TrID 54.3% (.EXE) InstallShield setup (43053/19/16)
20.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.2% (.EXE) Win64 Executable (generic) (6522/11/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'108 x Amadey, 288 x Smoke Loader)
Reporter burger
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/eec259f1-c5ee-4a51-9972-78ec6f83e5b8/
Malware family:
n/a
ID:
1
File name:
xenoexecutorexe.EXE
Verdict:
Malicious activity
Analysis date:
2026-06-24 11:19:00 UTC
Tags:
auto generic discord nodejs openssl tool
Link:
https://app.any.run/tasks/8130bf9d-86f0-46ba-8bd7-f89cdde05530

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3bbce81548daf709f96140
Tags:
asyncrat extens virus blic
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer installer installer lolbin microsoft_visual_cc rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/6a3bbd469799578a6c49a2a4/reports/349af29d-275b-4c7e-a0f3-3f8f6fa90a54/overview
Verdict:
Malicious
Labled as:
MSIL_Agent_CAK_trojan
Link:
https://www.hybrid-analysis.com/sample/b1b2ce043a42e8a9fd97d478bf86776103b2be910dfcff97e7d9ce6378e7701e
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-24T08:42:00Z UTC
Last seen:
2026-06-24T10:44:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Tasker.cust Trojan.MSIL.DInvoke.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb HEUR:Trojan.MSIL.Agent.gen Exploit.Win32.BypassUAC.sb Trojan.Win32.Agent.sb Trojan-Banker.Win32.Express.sb PDM:Trojan.Win32.Generic Backdoor.MSIL.Darkrat.sb Trojan-PSW.MSIL.DiscoStealer.sb HEUR:Trojan-PSW.MSIL.Stealer.gen HEUR:HackTool.MSIL.EtwHook.gen Backdoor.MSIL.VenomRAT.a Trojan-PSW.MSIL.Stealer.a Trojan.MSIL.Agent.sb Trojan-PSW.MSIL.Stealerium.sb Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan.Win32.Generic Backdoor.MSIL.Crysan.sb Trojan.Win32.Agent.sba Trojan-PSW.MSIL.Agent.sb HEUR:Exploit.MSIL.BypassUAC.c HEUR:Backdoor.MSIL.SheetRat.gen Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/b1b2ce043a42e8a9fd97d478bf86776103b2be910dfcff97e7d9ce6378e7701e/results?tab=lookup
Result
Threat name:
KeyLogger, StormKitty, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1933103
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops large PE files
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Unusual module load detection (module proxying)
Yara detected BrowserPasswordDump
Yara detected Keylogger Generic
Yara detected StormKitty Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1933103 Sample: xenoexecutorexe.EXE.exe Startdate: 24/06/2026 Architecture: WINDOWS Score: 100 60 x3no.pages.dev 2->60 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for dropped file 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 6 other signatures 2->82 11 xenoexecutorexe.EXE.exe 1 4 2->11         started        15 rundll32.exe 2->15         started        signatures3 process4 file5 54 C:\Users\user\AppData\Local\Temp\...\xeno.exe, PE32 11->54 dropped 56 C:\Users\user\AppData\Local\...\XENO-V~1.EXE, PE32 11->56 dropped 86 Found many strings related to Crypto-Wallets (likely being stolen) 11->86 88 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->88 17 XENO-V~1.EXE 312 11->17         started        signatures6 process7 file8 44 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 17->44 dropped 46 C:\Users\user\AppData\Local\...\System.dll, PE32 17->46 dropped 48 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 17->48 dropped 50 30 other malicious files 17->50 dropped 72 Antivirus detection for dropped file 17->72 74 Drops large PE files 17->74 21 Xeno-v1.3.55.exe 74 17->21         started        signatures9 process10 signatures11 84 Unusual module load detection (module proxying) 21->84 24 chrome.exe 21->24         started        26 Xeno-v1.3.55.exe 21->26         started        29 explorer.exe 17 5 21->29 injected 31 4 other processes 21->31 process12 dnsIp13 33 chrome.exe 24->33         started        68 chrome.cloudflare-dns.com 172.64.41.3 CLOUDFLARENET-CloudflareIncUS Canada 26->68 70 x3no.pages.dev 172.66.47.131 CLOUDFLARENET-CloudflareIncUS Canada 26->70 process14 dnsIp15 58 192.168.2.6, 443, 49688, 49691 unknown unknown 33->58 36 chrome.exe 33->36         started        40 chrome.exe 33->40         started        42 chrome.exe 33->42         started        process16 dnsIp17 62 www.google.com 142.251.151.119, 443, 49702, 49710 GOOGLE-GoogleLLCUS United States 36->62 64 mobile-gtalk.l.google.com 142.251.163.188 GOOGLE-GoogleLLCUS United States 36->64 66 9 other IPs or domains 36->66 52 Chrome Cache Entry: 823, PDP-11 36->52 dropped file18
Score:
67%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b1b2ce043a42e8a9fd97d478bf86776103b2be910dfcff97e7d9ce6378e7701e
Gathering data
Verdict:
Malicious
Threat:
Backdoor.MSIL.Stealer
Link:
https://tip.neiki.dev/file/b1b2ce043a42e8a9fd97d478bf86776103b2be910dfcff97e7d9ce6378e7701e
Threat name:
ByteCode-MSIL.Trojan.CryoMarte
Create hunting rule
Status:
Malicious
First seen:
2026-06-23 23:37:11 UTC
File Type:
PE+ (Exe)
Extracted files:
44962
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgzm4bb2ilukt7mx2r4l7btxmeb3fpurbx6p7f7h3hhgg6hhoapa._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
hiddenvnc
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
689ae74e5f1398423134f44ecf309e0edff885307376162c3286d560ebfe07c1
AsyncRAT
6c7d12121192bc6cb052b0cc6542dc07418893f993860fdfb9f4392f5890f9b3
AsyncRAT
b1b2ce043a42e8a9fd97d478bf86776103b2be910dfcff97e7d9ce6378e7701e
AsyncRAT
b8e4db27a7347c05c3e9d42a6e04f9bf8ae0b0df6a78fb68c9d818bccd7a68ec
AsyncRAT
bb00b166bd615e9b94ad242822696dbe6dba717af39aee9ebbd3d7734e0f0683
AsyncRAT
error
AsyncRAT
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/260624-ne5tmsbw5s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments