MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de91b41ca57e7993a67aa0b8666ad52f5e5b0af3d24de69a8b1712ec8f9e4179. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	de91b41ca57e7993a67aa0b8666ad52f5e5b0af3d24de69a8b1712ec8f9e4179
SHA3-384 hash:	4921aceae8e6c9100484fba539d52c3603f87bbf6c60592b46088fb5ebb46e1167611819ae234631747f25bef28f334e
SHA1 hash:	65c7bc35f713f3ecadc31f4bd5b5751b351ab4ed
MD5 hash:	d83d9c5532130a894b0a5748051aa16d
humanhash:	summer-delta-carbon-football
File name:	SecuriteInfo.com.Trojan.Win32.Krypt.15484.5780
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	717'728 bytes
First seen:	2025-06-03 22:19:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ddec375ba06350d1d4f99f542ec22104 (1 x AsyncRAT, 1 x RustyStealer)
ssdeep	12288:sMqaA8xqaJohcDuM7oWPK3aLSypihJHQN7Ddxxz2J2+YobmCIi4wCGd50ILK4E9k:sMqa0aWuDuM7ouK3kXpihJg7jxN+5IX6
Threatray	11 similar samples on MalwareBazaar
TLSH	T11EE49F4E718086BBC7E42FBFCBC8DFAD9FB8354583C06ECE926417E54176950A5089E2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	86968eb2b6ec0e8b (1 x AsyncRAT)
Reporter	SecuriteInfoCom
Tags:	AsyncRAT exe signed

Code Signing Certificate

Organisation:	Apple Corporation
Issuer:	Apple Corporation
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-02-18T14:44:52Z
Valid to:	2025-05-18T14:44:52Z
Serial number:	900da90e116eea8af3ee1f91efab99
Thumbprint Algorithm:	SHA256
Thumbprint:	ced6aa5c5989ef5b382be10f7cfbac94094d1769ba71a29ac09cddca3a4536e0
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

379

Origin country :

Vendor Threat Intelligence

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/7144/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Krypt.15484.5780.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683f76b78bd5d68a12e4ba18

Tags:

shellcode injection autorun extens

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a window

Connection attempt

Enabling autorun by creating a file

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

anti-debug anti-vm expired-cert microsoft_visual_cc rust signed

Link:

https://www.filescan.io/uploads/683f74f4fd02ed5e05968c2b/reports/96d14cd5-aa5e-41d0-b1b4-a656f347cf57/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/de91b41ca57e7993a67aa0b8666ad52f5e5b0af3d24de69a8b1712ec8f9e4179

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a65f83ea-e63d-4e22-bbf0-f91d54ea0a15

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1705419

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious PE digital signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Protects its processes via BreakOnTermination flag

Sample uses string decryption to hide its real strings

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/de91b41ca57e7993a67aa0b8666ad52f5e5b0af3d24de69a8b1712ec8f9e4179

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de91b41ca57e7993a67aa0b8666ad52f5e5b0af3d24de69a8b1712ec8f9e4179/

Threat name:

Win32.Backdoor.Xworm

Status:

Malicious

First seen:

2025-06-03 21:49:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=32i3ihffpz4zhjt2uc4gm2wvf5pfwcxt2jg6ngulc4jozd46if4q._file

Verdict:

malicious

Label(s):

xworm

donut_injector

Result

Malware family:

xworm

Score:

10/10

Tags:

family:donutloader family:xworm discovery loader rat trojan

Link:

https://tria.ge/reports/250603-18pqqsan41/

Behaviour

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops startup file

Detect Xworm Payload

Detects DonutLoader

DonutLoader

Donutloader family

Xworm

Xworm family

Malware Config

C2 Extraction:

135.181.8.126:7000

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/75bdcaf0-39cb-4caa-816c-4cda752494bf

Unpacked files

SH256 hash:

de91b41ca57e7993a67aa0b8666ad52f5e5b0af3d24de69a8b1712ec8f9e4179

MD5 hash:

d83d9c5532130a894b0a5748051aa16d

SHA1 hash:

65c7bc35f713f3ecadc31f4bd5b5751b351ab4ed

Link:

https://www.unpac.me/results/f5ffbc95-ad57-4ee8-8b30-99c2ebc17fb4/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/de91b41ca57e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)