MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca081d2e9e512e1516edc180262c4309dda83ad714a281abd26fc1a658bced01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca081d2e9e512e1516edc180262c4309dda83ad714a281abd26fc1a658bced01
SHA3-384 hash: 90d7845b8a69e1f16d40c407b6db461e1ddfabda1f16db85a70ae054abade303f60ab1b2bb87dbc7f05fa0000b1b1cac
SHA1 hash: eabe1199f54d2fc1c166ef74ae4247194a81a1c0
MD5 hash: 54a08afb7d4946dfdd48d907bd2af047
humanhash: angel-wyoming-alpha-spring
File name:AV25097 Delivery Note.scr
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:528'392 bytes
First seen:2025-05-13 11:04:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 6144:LVKK5M9CJOkaxHgBC5jMWJm89uxV8eLhXXcZJ+FtzN/BHoPIWuqmJeBW8oBUPykR:0KeQByA0V7zuxV83YFpA3mUBW8oB0ykR
Threatray 702 similar samples on MalwareBazaar
TLSH T136B4F1653B6ADD06CA9A5F741C71D3B94BF5AF8DA802C3078EE9BDEF34623442412352
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter smica83
Tags:196-251-87-81 AsyncRAT exe HUN xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
602
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AV25097 Delivery Note.scr
Verdict:
Malicious activity
Analysis date:
2025-05-13 11:07:19 UTC
Tags:
auto-startup netreactor xworm
Link:
https://app.any.run/tasks/5c7cb44c-6659-4405-b092-55ad00521518

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3329.16482.19068.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682328354a59e5a2ce043118
Tags:
autorun keylog micro spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Connection attempt
Forced shutdown of a system process
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature masquerade obfuscated packed packed packer_detected signed vbnet
Link:
https://www.filescan.io/uploads/68232776c7418694c8a9aee3/reports/1abd2c90-6905-4778-8400-7e32489adb89/overview
Verdict:
Malicious
Labled as:
Dacic.5845.Generic
Link:
https://www.hybrid-analysis.com/sample/ca081d2e9e512e1516edc180262c4309dda83ad714a281abd26fc1a658bced01
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4aceca5b-178f-4f92-b3d9-287c932bf8ba
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1688842
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1688842 Sample: AV25097 Delivery Note.scr.exe Startdate: 13/05/2025 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 12 other signatures 2->61 7 AV25097 Delivery Note.scr.exe 7 2->7         started        11 cRXmQXIhUkHn.exe 5 2->11         started        13 svchost.exe 1 1 2->13         started        process3 dnsIp4 41 C:\Users\user\AppData\...\cRXmQXIhUkHn.exe, PE32 7->41 dropped 43 C:\Users\...\cRXmQXIhUkHn.exe:Zone.Identifier, ASCII 7->43 dropped 45 C:\Users\user\AppData\Local\...\tmpDF8E.tmp, XML 7->45 dropped 47 C:\...\AV25097 Delivery Note.scr.exe.log, ASCII 7->47 dropped 63 Adds a directory exclusion to Windows Defender 7->63 16 powershell.exe 23 7->16         started        19 RegSvcs.exe 6 7->19         started        23 schtasks.exe 1 7->23         started        29 2 other processes 7->29 65 Multi AV Scanner detection for dropped file 11->65 67 Writes to foreign memory regions 11->67 69 Allocates memory in foreign processes 11->69 71 Injects a PE file into a foreign processes 11->71 25 schtasks.exe 11->25         started        27 RegSvcs.exe 11->27         started        51 127.0.0.1 unknown unknown 13->51 file5 signatures6 process7 dnsIp8 53 Loading BitLocker PowerShell Module 16->53 31 WmiPrvSE.exe 16->31         started        33 conhost.exe 16->33         started        49 196.251.87.81, 7040 SONIC-WirelessZA Seychelles 19->49 39 C:\Users\user\AppData\Roaming\XClean.exe, PE32 19->39 dropped 35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ca081d2e9e512e1516edc180262c4309dda83ad714a281abd26fc1a658bced01
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca081d2e9e512e1516edc180262c4309dda83ad714a281abd26fc1a658bced01/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-13 07:00:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 24 (83.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zieb2lu6kexbkfxnygacmlcdbho2qowxcsridk6sn7a2mwf45uaq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
xworm
Create hunting rule
Similar samples:
39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a
AsyncRAT
54f015287731308328345efdc18a593d3b5a57efdd04278efb9da7f5127df37f
AsyncRAT
ca081d2e9e512e1516edc180262c4309dda83ad714a281abd26fc1a658bced01
AsyncRAT
d384ba14fe02622e460cd9805eb86a45b6c4f9e787ecdc015bc6034e69410e3d
AsyncRAT
ebc88926926a0e2b3dd6f1a5d4149f561e448d8daa57305ec3bb0a4ba9285bae
AsyncRAT
error
AsyncRAT
+ 692 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/250513-m62evst1dt/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
196.251.87.81:7040
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/04560982-7deb-46e3-bf69-8e3b117ffc65
Unpacked files
SH256 hash:
ca081d2e9e512e1516edc180262c4309dda83ad714a281abd26fc1a658bced01
MD5 hash:
54a08afb7d4946dfdd48d907bd2af047
SHA1 hash:
eabe1199f54d2fc1c166ef74ae4247194a81a1c0
Link:
https://www.unpac.me/results/e80391d1-80c6-4ad2-bb56-81862f35de31/
SH256 hash:
e65bc4732f18966eeaba9700bb83489074f63082cf28bc05e90d278a1761ac25
MD5 hash:
f568aa0b7be96ed2102e8de46d59248b
SHA1 hash:
5031c8d479988ff22716c13646fc6ba8cd6a78d8
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e80391d1-80c6-4ad2-bb56-81862f35de31/
Parent samples :
eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc
3ff3db68a75d4c52f3910396564f35999b3571ed75850df0c403b851433582ec
285bd22ba49a3de603e9fff856a0bd3111e43629ad29e24bb41178afd93ece23
54f015287731308328345efdc18a593d3b5a57efdd04278efb9da7f5127df37f
ca081d2e9e512e1516edc180262c4309dda83ad714a281abd26fc1a658bced01
c3f39d499f8599e009697219a0c0f9b5fd91848b693fcaf4abdc0d15bdc67de0
44123cf2ed8f575c4643cacfcd51e18188edeca34b343af433c98ac03fb691ea
76f35c8ecea90bb9709af24f9183489a711f04fc00f26d3cae74fbcdf7bde6c5
d539ab19fd873bd36c22b38f3d8a85683220a7bcce13a9c962652d6165c33c2e
ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35
SH256 hash:
07e9249b11832da6eec2d511c6ea882eeca5f151e86e47da9914f561da48a3a9
MD5 hash:
b929955ebbcd019d9451d5cdbaf9083e
SHA1 hash:
b2e071c7d28533dcd5ac7044f6ae9da6ef254496
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e80391d1-80c6-4ad2-bb56-81862f35de31/
SH256 hash:
d85b8cabcd295796e4b21e719749ae45eff7558f530bfdf0c78e8aaadef46472
MD5 hash:
47cc70a59035c26c17c6376854a86abd
SHA1 hash:
d9d3f867a2cc68c7657b3291ab6730e82b1bed6c
Detections:
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/e80391d1-80c6-4ad2-bb56-81862f35de31/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca081d2e9e51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca081d2e9e512e1516edc180262c4309dda83ad714a281abd26fc1a658bced01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_b509dfc8
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_XWorm_b7d6eaa8
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_bytestring
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytestring present in unobfuscated xworm
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments