MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2
SHA3-384 hash: f7a059531db755e507fd78cb9a360b1f20d085f6776bedda48ca192e1479f033b797b645975792b6ecb157762b210ee0
SHA1 hash: f9698ccb803884af32c6f29c32e6e6cfe9bc9c3e
MD5 hash: 9bab2090824033f56076bb2e5e83aa60
humanhash: magnesium-hydrogen-equal-cat
File name:BCAS25100032 (SO#6418) DETAIL.PDF.scr
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:699'904 bytes
First seen:2025-11-10 02:37:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:VWcqf3YGoxYWjGBBpoMCEPdqAHMeOmMBWVZTnVBPTnVBSapLL2:W3YGRyQsUFXHM58XP2gLL2
Threatray 2'330 similar samples on MalwareBazaar
TLSH T18BE4E1807AA9D893C53542F91532E1781FFA6E9D7222F1C84EC52DEFF8E5F044A88257
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BCAS25100032 (SO#6418) DETAIL.PDF.scr
Verdict:
Malicious activity
Analysis date:
2025-11-10 02:37:38 UTC
Tags:
auto-startup remote xworm
Link:
https://app.any.run/tasks/0d13303f-1840-45c8-a719-a581619bd75d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36627/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69114fdae2c9ded75d78deb3
Tags:
autorun virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Connection attempt to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/69114fda413b181bff1ddf03/reports/ec6258ea-b5f2-40c5-93ec-32cdb74a3ffc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-09T22:31:00Z UTC
Last seen:
2025-11-11T21:17:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.c UDS:DangerousObject.Multi.Generic PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.PureLogs.gen Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.sb Backdoor.MSIL.XWorm.b Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10f641ae-fe68-4b52-9f53-ba2662435f2b
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1811074
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.31 Win 32 Exe x86
Link:
https://app.malva.re/file/9bab2090824033f56076bb2e5e83aa60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2
Threat name:
Win32.Backdoor.AsyncRat
Create hunting rule
Status:
Malicious
First seen:
2025-11-10 01:31:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zyqxthzadusjbir2xbi7tbpdr3sbbrfacelwnmagq7kimj3basza._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
6c803b2d7bebfebf374aece5ddcd4f470aeb681d88c22e0b8fe361d4f3c33f35
AsyncRAT
96b5f548190e75840e623792ee01e9561d1f88a89c6fdce734a6cc9a038523ea
AsyncRAT
a6474ff036306675649f2436c672971e47a2b4378f066949c4f2fa73cebcbffe
AsyncRAT
eff06ffe78c495491ce7eff1ed8b140f4ba023126edf85fb248fdf894f40a3c4
AsyncRAT
error
AsyncRAT
+ 2'320 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery rat trojan
Link:
https://tria.ge/reports/251110-c39a7a1qgx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
104.250.180.178:7061
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3a9e0126-8ff1-4f45-beec-b9d8850f1be6
Unpacked files
SH256 hash:
ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2
MD5 hash:
9bab2090824033f56076bb2e5e83aa60
SHA1 hash:
f9698ccb803884af32c6f29c32e6e6cfe9bc9c3e
Link:
https://www.unpac.me/results/70b712f8-4dab-4d33-9456-4361d5b140c8/
SH256 hash:
50c76d0eff2bd06eee227c45d7544604bc2ef4b38e13d21972a89ba1269f66c6
MD5 hash:
c2ec0ca6339212485c220290d78a8dde
SHA1 hash:
9c490c13644bf4f65f119fa5a67e380278253692
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/70b712f8-4dab-4d33-9456-4361d5b140c8/
Parent samples :
ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2
5fc5368bad8a8b519f2c392b97c458d9425307b00d52aaadea20eba58e8eeb24
SH256 hash:
cbd047ef3bc4c1180a83370f3b03d369f56f4a539d4a18f4b8d6cb6320b472d7
MD5 hash:
87693ab47c5b4155742ef04a12a8b3d7
SHA1 hash:
a7b94147f6324e7a4c2182326896b006891e4c42
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/70b712f8-4dab-4d33-9456-4361d5b140c8/
SH256 hash:
96de8ad025d75b1d542339e24eb8bb8ce134fb7173573edde9b999b0fe6851d3
MD5 hash:
b0a7b151b691cb571c6a90d283c47b12
SHA1 hash:
f8b8daa392b266a9e600f485e1922615c16ed9f6
Link:
https://www.unpac.me/results/70b712f8-4dab-4d33-9456-4361d5b140c8/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce21799f201d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe ce21799f201d2490a23ab851f985e38ee410c4a0111766b00687d486276104b2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/36627/

Comments