MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae
SHA3-384 hash: 5a6fbe784f41a3d7f43538800fe54585a65c90855c9d6e1c35841c322c8cc79d6934a55d49d843c6af20354f51fc0d98
SHA1 hash: 0c86281a541cd1755d4ec8a88f6907493cdc2e11
MD5 hash: 94f61f83185d34af17339af44238b2ef
humanhash: helium-oranges-purple-single
File name:INVOICE - KHH26050540 - SUMINDKHH (13-Jan-26).PDF.scr
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:813'568 bytes
First seen:2026-01-13 09:53:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:vj1UKCRs8dAabxWOTST/HRpysYZ+pwCtnqD0nmjJk9aRm2SxgMLjig:GRskh1WOTST/HfystZq6mVk9a82Sx
TLSH T16C05E018276ACE02D8A65FF92971E3B417786DEEB860D3978FDABDEB34657004900347
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/8db11dfe-a641-4502-a449-eabeb1bdfe29/
Malware family:
n/a
ID:
1
File name:
INVOICE - KHH26050540 - SUMINDKHH (13-Jan-26).PDF.scr
Verdict:
Malicious activity
Analysis date:
2026-01-13 09:57:27 UTC
Tags:
auto-startup remote xworm
Link:
https://app.any.run/tasks/f0dcb757-241b-4296-8d2a-8f1a8f458430

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48766/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69661622ef906a21abcce2f4
Tags:
autorun virus krypt msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context bitmap masquerade packed packed stego vbnet
Link:
https://www.filescan.io/uploads/6966161c3827c9e1249aca02/reports/42495dab-e03f-4cd6-a649-767274182fb8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-13T03:18:00Z UTC
Last seen:
2026-01-15T06:19:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Badex.c Trojan.MSIL.Crypt.sb Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.a PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.DarkCloud.gen Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.b
Link:
https://opentip.kaspersky.com/cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/893358db-ae73-455b-99c9-5344706c9f1d
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2026-01-13 06:08:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqd3p7cevorzazdqxzfvukc3nyl3jrt7obxev6tpy2kdsjebzgxa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery rat trojan
Link:
https://tria.ge/reports/260113-lwwwysav2h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Drops startup file
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
172.94.15.100:6070
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6dd23974-8f12-4721-8046-2ca7b9166bab
Unpacked files
SH256 hash:
cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae
MD5 hash:
94f61f83185d34af17339af44238b2ef
SHA1 hash:
0c86281a541cd1755d4ec8a88f6907493cdc2e11
Link:
https://www.unpac.me/results/073a9ecb-4d97-4316-9a73-ccd29cd0318f/
SH256 hash:
6a3d0e2e98b1cf28a0547aca0e88a20e251d94e0df7a5808769a2882e58dda11
MD5 hash:
da428eda04a2259a02bcf3120c34715c
SHA1 hash:
34c754c85eebd4c749bab5b24f1a8d3a5f5ebd8a
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/073a9ecb-4d97-4316-9a73-ccd29cd0318f/
Parent samples :
392f6b46f45bad21bf7e18de9d62f46651516f7e1b89e2581a1e4e7f71df141b
f3302bb5ac2840ebf927880eb4ba71b2669d7f3f9a261ade6505b2081edef0c7
cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae
5ac6244e4e561e0db75d436f895369ac7b8927b3726ad7f89e795c8aea4ba017
dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb
172c3076e5d6bfe9089a1e092d1286e77337bc3680db32539e3a7bf69b7d0560
a9748173bb602313b8b1fc6eb71d4036ad98ba25c19b360326dd74cfd71c6522
4eef5964d4be888f65a3410d0f60fd3559021aff06bf1448c919e294b7ecb72e
77be2ee5c55a9c5f20b6522fb6fbd174465481ad60b5143c95ee31e16fccaf8e
27ec2b5eec31bcba30eb7c61b6d0cd60bb36716a397bdcb40f2061866519cb02
e81a2db8cb80396874720064cdfbf62901b1e6b96e8395d6a9846bf930f7efa0
SH256 hash:
28e998e6cde9ecbf24967433ea1afa2e95f26233f1199460ca0a7f2b34b690b1
MD5 hash:
6815abd4138624b9d6975b742a1e3781
SHA1 hash:
42fdc8ae68242f723ffaa61fb507244b63502c6c
Detections:
win_xworm_w0
Create hunting rule
win_xworm_a0
Create hunting rule
XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/073a9ecb-4d97-4316-9a73-ccd29cd0318f/
SH256 hash:
06373c467711960f0f1af011c59327a1b424ca46acecfb6630e7edd276e5a6b8
MD5 hash:
b725f74472e367b3c359a60c981043e2
SHA1 hash:
6c29a3174ce61e563e1ad15770f436a4573f6c62
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/073a9ecb-4d97-4316-9a73-ccd29cd0318f/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc07b7fc44ab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48766/

Comments