MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 10 File information Comments

SHA256 hash:	c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569
SHA3-384 hash:	10aca066d637487784d5dceacd6c9bee3e7338101ca3b5b64cf299a26a6725fb6dbdca4fab2947f42fdde8e01b77f231
SHA1 hash:	89a0cead6a9519f422741c05367a6889d05ac77a
MD5 hash:	1b671a06f31f1805f101cd0f2251ab57
humanhash:	butter-crazy-diet-item
File name:	hd5nv.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	416'140 bytes
First seen:	2025-11-29 04:11:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	75d930149d98b9b34c55459c6a79b293 (30 x XWorm, 12 x AsyncRAT)
ssdeep	6144:u+GYnA0zeWiDi5eJHQ8kV3f+RysMFZzN/EOtbMrtYNsNrwr:iYkDi5eJQ7uysMFZzN/dmB11S
TLSH	T119947C16F79408FDD4A7C57489924546DA3A7C8E1B71EEEF1798422A2F237F08E39720
TrID	49.9% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.6% (.EXE) OS/2 Executable (generic) (2029/13) 9.5% (.EXE) Generic Win/DOS Executable (2002/3) 9.4% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	amznemu
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

hd5nv.exe

Verdict:

Malicious activity

Analysis date:

2025-11-29 04:36:31 UTC

Tags:

xworm

Link:

https://app.any.run/tasks/c647619f-409d-4486-b994-5bcaafd61e9d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/41766/

Detection(s):

Win.Packed.njRAT-10002074-1

Win.Packed.Msilzilla-10019837-0

Win.Packed.Loveletter-10023052-0

Win.Packed.Loveletter-10024677-0

Win.Packed.Msilzilla-10026193-0

Win.Trojan.Malwarex-10056560-0

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL

ditekSHen.MALWARE.Win.XWorm.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692a72726cb1dcd577823f8b

Tags:

asyncrat dropper xworm micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a recently created process

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-29T00:35:00Z UTC

Last seen:

2025-11-29T01:48:00Z UTC

Hits:

~10

Detections:

VHO:Trojan.Win32.GenericML.xnet Trojan.Win32.Agent.sb HEUR:Backdoor.MSIL.XWorm.gen HEUR:Backdoor.MSIL.XClient.b HEUR:Backdoor.MSIL.Convagent.gen

Link:

https://opentip.kaspersky.com/c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/95dc3294-388f-435d-a157-55fb51955226

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569

Verdict:

XWorm

YARA:

7 match(es)

Tags:

.Net Executable PE (Portable Executable) PE Memory-Mapped (Dump) RAT XWorm

Link:

https://app.malva.re/file/1b671a06f31f1805f101cd0f2251ab57

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569

Threat name:

Win64.Backdoor.Xworm

Status:

Malicious

First seen:

2025-11-29 04:11:23 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ywpfdjpawl3bncg4wzlyf7fwkdjn4vrt4tv7djdaml7n3kspyvuq._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm persistence rat trojan

Link:

https://tria.ge/reports/251129-er3elsdx9h/

Behaviour

Modifies registry class

Suspicious use of WriteProcessMemory

Executes dropped EXE

Modifies system executable filetype association

Detect Xworm Payload

Xworm

Xworm family

Verdict:

Malicious

Tags:

rat xworm Win.Packed.njRAT-10002074-1

YARA:

win_mal_XWorm MALWARE_Win_XWorm

Link:

https://app.threat.zone/submission/bd32d320-5f2e-4f37-89b8-3600e5ec7d5f

Unpacked files

SH256 hash:

c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569

MD5 hash:

1b671a06f31f1805f101cd0f2251ab57

SHA1 hash:

89a0cead6a9519f422741c05367a6889d05ac77a

Link:

https://www.unpac.me/results/22e14fc9-4b5a-4afd-82c1-8f4c5e3be418/

SH256 hash:

8b7e5402ef6a77a783a3f85fba0bc3a9ad60ac1ff56ad7172e3f96b9a60e3e6f

MD5 hash:

8887d55cb4b87cb60053aad9f813910b

SHA1 hash:

ffccc4bfa81bdb0e46d19d3b4119f45545891a95

Detections:

XWorm

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/22e14fc9-4b5a-4afd-82c1-8f4c5e3be418/

Parent samples :

1402524dbcd6c8954d300e96227954f8797e125ee533b69ddc64ca54cae35d05
a2c79ed9e8c6f6f143182b72bc6524c8d62a7af1efb6973af5ece46fac88eb5a
c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569
fc95e50c1ca3372bb4b9dbded1bbf67b72626948f358d8c24bba7835011b14fe

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c59e51a5e0b2f61688dcb65782fcb650d2de5633e4ebf1a46062feddaa4fc569

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/41766/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample