MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments

SHA256 hash:	d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce
SHA3-384 hash:	61d4dfb99e947e203b7114e5aa7724aeadd5bcbcd4bcb7ec15b3f76a87a00a24a1d7f2125c2aacf724fa76ba58537aad
SHA1 hash:	6f32b9ed4418ff759b154524948968e69bf20038
MD5 hash:	2c2937b0d151721d07ced99ba79436de
humanhash:	jersey-artist-cup-thirteen
File name:	d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	6'185'984 bytes
First seen:	2026-03-01 09:31:42 UTC
Last seen:	2026-03-01 10:47:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	22e78a00070f9fd81c1508aa25033259 (2 x AsyncRAT)
ssdeep	49152:pfSka7VuYZ1pL0XIrVHVuFrwNth4TQt+E7w9Ju8k7L6+CnqI9nDpmViNU9cJKyf+:EjfrV9th4TQ9EIZ
Threatray	2'167 similar samples on MalwareBazaar
TLSH	T175568C14A3E901B4E577EB78C6258333D6B1BC959735810F0669FA4A1F73A608F2FB21
TrID	70.9% (.EXE) InstallShield setup (43053/19/16) 10.7% (.EXE) Win64 Executable (generic) (6522/11/2) 8.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.3% (.EXE) OS/2 Executable (generic) (2029/13) 3.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	176-65-132-10 AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce

Verdict:

Malicious activity

Analysis date:

2026-03-01 09:45:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/69bbb90d-a31d-49d9-b2e9-81377493d5cb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/55059/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.77913939.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a407a78fffa866e3b3a720

Tags:

dropper virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context crypto fingerprint microsoft_visual_cc

Link:

https://www.filescan.io/uploads/69a4079910e80629d4f7361d/reports/de5cb11a-aa12-4696-a178-bd627e29e61d/overview

Verdict:

Malicious

Labled as:

Win64/Agent.ECK trojan

Link:

https://www.hybrid-analysis.com/sample/d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce

Verdict:

Malicious

File Type:

dll x64

First seen:

2025-12-16T12:54:00Z UTC

Last seen:

2025-12-16T21:57:00Z UTC

Hits:

~10

Detections:

Trojan-Dropper.Win32.Agent.sb HEUR:Trojan.Win64.Generic

Link:

https://opentip.kaspersky.com/d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d8b8c546-996a-4d62-9791-ea40f928f4a7

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce/

Verdict:

Malicious

Threat:

Family.ASYNCRAT

Link:

https://tip.neiki.dev/file/d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce

Threat name:

Win64.Backdoor.Xworm

Status:

Suspicious

First seen:

2025-12-16 20:42:23 UTC

File Type:

PE+ (Dll)

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2pcbsjrmulib7lnselkga6g6ewgl27bt27yjbz2me7as7tfp63ha._file

Verdict:

malicious

Label(s):

xworm

AsyncRAT

18c781259384f8c799eb03739f7dee9f312c2d9af8f39ea9eda302a43d78af3d

AsyncRAT

39e6cb5e8f727a509712809a775239f6c084217d1fabb1cef67a3917c645fb68

AsyncRAT

9f2363bef0d47ba48b95ce505478613497d4663498776434c5decabcb1fe1dd1

AsyncRAT

bcbfbd1220992bb8d327e199e25273accb4e73160397d445c06c98bb90e5a194

AsyncRAT

bebb4bed2e81e35672a57429b17ed84872949b5833479937ec0ca97a30b1609d

AsyncRAT

error

AsyncRAT

+ 2'157 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery persistence rat trojan

Link:

https://tria.ge/reports/260301-lhqg1shy8f/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Contacts third-party web service commonly abused for C2

Executes dropped EXE

Detect Xworm Payload

Xworm

Xworm family

Unpacked files

SH256 hash:

d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce

MD5 hash:

2c2937b0d151721d07ced99ba79436de

SHA1 hash:

6f32b9ed4418ff759b154524948968e69bf20038

Link:

https://www.unpac.me/results/b5905e4b-8f6f-4777-bd52-af9880999061/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d3c419262ca2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d3c419262ca2d01fadb222d46078de258cbd7c33d7f090e74c27c12fccaff6ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/55059/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample