MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90
SHA3-384 hash: 2c1c66fba765faa234493f603e2919f39a84123c067b9611b84f96b81dcd61cb8749e5dd008a381843b5e12319f53167
SHA1 hash: 11f01bb6e93ed0d14e19215dd145d3ada7f2b7a5
MD5 hash: 1e2bc15cd9eff48623de9e290b937ff6
humanhash: glucose-india-video-earth
File name:Delivery Notice - 0427 SO#B548 KEL-GDANSK 昱嘉科PDF.........................................................................................................................................................scr
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:724'992 bytes
First seen:2026-05-05 07:14:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'003 x AgentTesla, 19'911 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 12288:n7XRuCNUbkB1dJtdaGEs5Tmez1rZf8iGc4uS3x0paP0mvJ5LJpBMsJyoT0M:n7RYkBd74sdFtZkiAJP0mvLDasJye
Threatray 761 similar samples on MalwareBazaar
TLSH T153F41270A76DCA11D88A67F46661EB7103700F5EE193C32E8FFEFCEB782A6255509181
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/9770d55f-d881-4024-a5f7-4444cf133b02/
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-05-05 07:15:24 UTC
Tags:
auto-startup xworm remote
Link:
https://app.any.run/tasks/6ed9c6d8-7eff-4536-a876-4a78e86ddb7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/64532/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.18567421.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook krypt masquerade packed unsafe vbnet
Link:
https://www.filescan.io/uploads/69f9991586e92bda701eee0a/reports/a0b796ed-5bbb-464e-9936-2c2f53bbd35f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-05T03:26:00Z UTC
Last seen:
2026-05-07T03:51:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.b PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agensla.gen Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8a72a065-1698-420e-9b83-2ed365c9ae20
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1908512
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.24 Win 32 Exe x86
Link:
https://app.malva.re/file/1e2bc15cd9eff48623de9e290b937ff6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogge
Create hunting rule
Status:
Malicious
First seen:
2026-05-05 07:15:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3l77lw6nbwlastlfcpun244osau7xxugfucmpcswrdpqv62ldsia._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
741508351f8b822d9ce3ecd6d380ac5a37b598b7114c3db5e77a2bacd709c7c8
AsyncRAT
87ffe7535f7e221d713ce338cb8f1ad3481c6a1a48932203f1658d6a1cd1c201
AsyncRAT
9b8d72d1a03fbc62aceda0d7e071474fa88f81624ce6aed1fd77f4197cd96305
AsyncRAT
9fe7289e6e6eff48961ebe44aed0440e21d35702da284c34f4ef8c37b6ad7419
AsyncRAT
error
AsyncRAT
+ 751 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/260505-h3hfcsas4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Unpacked files
SH256 hash:
dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90
MD5 hash:
1e2bc15cd9eff48623de9e290b937ff6
SHA1 hash:
11f01bb6e93ed0d14e19215dd145d3ada7f2b7a5
Link:
https://www.unpac.me/results/0ed17f50-feff-4ddd-b472-05f787d40034/
SH256 hash:
50b044fdf6ef68f9c4651f2058b889e7199ed9882342e5fbcb65c0372fc3498b
MD5 hash:
e741b14e6d5b9cb132b29d72e45deba1
SHA1 hash:
4cd3be0545d2cd03bc177e017ebc29b544cc4d2e
Link:
https://www.unpac.me/results/0ed17f50-feff-4ddd-b472-05f787d40034/
SH256 hash:
b2461272647b05cf640447fdd1267b8e048906036cad9b9652a293a7a247dfd2
MD5 hash:
95f913d44a0ac3f95aa631b8e865ca3f
SHA1 hash:
4e70f88ad665f09995fad66d4ce2d6dfce1e4404
Link:
https://www.unpac.me/results/0ed17f50-feff-4ddd-b472-05f787d40034/
SH256 hash:
063ad4d36d685ea710038c154c29d75df4a582ffae18288690ff935f915e75b5
MD5 hash:
60b51e16c47b2d1f1db58804bc4b9d88
SHA1 hash:
58112fc5ca8bee58bb07281d601fd18bf7ef309d
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
Link:
https://www.unpac.me/results/0ed17f50-feff-4ddd-b472-05f787d40034/
Parent samples :
8a249e7566f513e34498a82593b400fe5d279ee7687cc52b4a8a709b88d77313
dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dafff5dbcd0d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe dafff5dbcd0d96094d6513e8dd738e9029fbde862d04c78a5688df0afb4b1c90

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/64532/

Comments