MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e63b6b875326bad1c16a3b079e02a83daf2c73a5c5bccc67a891b6de6c09d84f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e63b6b875326bad1c16a3b079e02a83daf2c73a5c5bccc67a891b6de6c09d84f
SHA3-384 hash: 301b910a9802f55144b63ab207490b10451ae37b7f19c7ad3faf9a67b1427bd4df56369fdf44fbf247391366f4191400
SHA1 hash: 9f354470cec4f7153462975d551df8c32aa79a8e
MD5 hash: c6d858aa813051d68bcd51b4d68047ae
humanhash: dakota-north-may-oklahoma
File name:interac.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:419 bytes
First seen:2026-03-18 08:46:50 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 12:wbYVJ4JF6984CXLgyaIS1PKC2ALFyGHDfhy1MnG9k1N:wq4j6EXLw1PKC2kFHDT5n
Threatray 1'629 similar samples on MalwareBazaar
TLSH T14BE081211357300F2A9FC0928948D0CBFA4CD2CC03263DF769C4EC018C821E99E8E228
Magika batch
Reporter abuse_ch
Tags:AsyncRAT bat RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
BatchScript
varying reportable information from embedded commands and any observed URLs
Link:
https://research.acce.ciphertechsolutions.com/results/75e81983-f171-4f07-bb3e-8a9f5f62c68e/
Malware family:
n/a
ID:
1
File name:
_e63b6b875326bad1c16a3b079e02a83daf2c73a5c5bccc67a891b6de6c09d84f.txt
Verdict:
No threats detected
Analysis date:
2026-03-18 08:48:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78f4318d-801b-45d3-9c12-bb29f4d37d3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57892/
Detection(s):
SecuriteInfo.com.Generic.PWSH.Downloader.D.AE39D6F6.16406.3972.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ba669888c80c01586b90df
Tags:
autorun trojan shell sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt to an infection source
Gathering data
Verdict:
Malicious
Labled as:
PWSH.Downloader.D.Generic
Link:
https://www.hybrid-analysis.com/sample/e63b6b875326bad1c16a3b079e02a83daf2c73a5c5bccc67a891b6de6c09d84f
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
Link:
https://opentip.kaspersky.com/e63b6b875326bad1c16a3b079e02a83daf2c73a5c5bccc67a891b6de6c09d84f/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885427
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Disable Windows Defender real time protection (registry)
Disable Windows Notification Center
Disable Windows Toast Notifications
Disables UAC (registry)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious PowerShell Commandlets - ProcessCreation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: PowerShell DownloadFile
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885427 Sample: interac.bat Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 61 raw.githubusercontent.com 2->61 63 ip-api.com 2->63 65 github.com 2->65 89 Suricata IDS alerts for network traffic 2->89 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 21 other signatures 2->95 10 cmd.exe 1 2->10         started        13 Security.exe 2->13         started        16 Security.exe 2->16         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 101 Suspicious powershell command line found 10->101 103 Uses cmd line tools excessively to alter registry or file data 10->103 105 Tries to download and execute files (via powershell) 10->105 113 3 other signatures 10->113 20 powershell.exe 17 17 10->20         started        25 conhost.exe 10->25         started        73 ip-api.com 208.95.112.1, 49707, 49724, 80 TUT-ASUS United States 13->73 107 Antivirus detection for dropped file 13->107 109 Multi AV Scanner detection for dropped file 13->109 111 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 13->111 27 WerFault.exe 13->27         started        29 WerFault.exe 16->29         started        75 127.0.0.1 unknown unknown 18->75 signatures6 process7 dnsIp8 67 156.233.71.230, 49692, 49703, 80 IKGUL-26484US Seychelles 20->67 51 C:\Users\user\AppData\Local\...\interac.bat, DOS 20->51 dropped 97 Found suspicious powershell code related to unpacking or dynamic code loading 20->97 99 Powershell drops PE file 20->99 31 cmd.exe 1 2 20->31         started        53 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->53 dropped 55 C:\ProgramData\Microsoft\...\Report.wer, Unicode 29->55 dropped file9 signatures10 process11 signatures12 115 Suspicious powershell command line found 31->115 117 Uses cmd line tools excessively to alter registry or file data 31->117 119 Tries to download and execute files (via powershell) 31->119 121 Adds a directory exclusion to Windows Defender 31->121 34 reg.exe 31->34         started        37 powershell.exe 23 31->37         started        39 powershell.exe 23 31->39         started        41 21 other processes 31->41 process13 dnsIp14 77 Disable Windows Defender real time protection (registry) 34->77 45 WerFault.exe 34->45         started        47 WerFault.exe 34->47         started        79 Loading BitLocker PowerShell Module 37->79 69 github.com 140.82.112.4, 443, 49704 GITHUBUS United States 41->69 71 raw.githubusercontent.com 185.199.109.133, 443, 49705 FASTLYUS Netherlands 41->71 57 C:\ProgramData\WinGuard\Security.exe, PE32 41->57 dropped 59 C:\Users\user\AppData\...\Security.exe.log, CSV 41->59 dropped 81 Creates multiple autostart registry keys 41->81 83 Disables UAC (registry) 41->83 85 Disable Windows Notification Center 41->85 87 Disable Windows Toast Notifications 41->87 49 conhost.exe 41->49         started        file15 signatures16 process17
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e63b6b875326bad1c16a3b079e02a83daf2c73a5c5bccc67a891b6de6c09d84f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e63b6b875326bad1c16a3b079e02a83daf2c73a5c5bccc67a891b6de6c09d84f/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/e63b6b875326bad1c16a3b079e02a83daf2c73a5c5bccc67a891b6de6c09d84f
Threat name:
Script-PowerShell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 20:39:40 UTC
File Type:
Text (Batch)
AV detection:
5 of 36 (13.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4y5wxb2te25ndqlkhmdz4avihwxsy45fyw6myz5isg3n43aj3bhq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
2c7829ad3fdf5698fdf93c8be35d2425e6129d566bbfdff280cd34462021dbd9
AsyncRAT
2c79462021c78e9c39cd136bccc49117eb5206adca4f1735e2ba606d99b2677b
AsyncRAT
8db0cd1d0244de2a22f748c4d8fdac91f6850f1fef19bc7f2afe1d5cefb5b228
AsyncRAT
ab82ee4628e3c5b8f5b9708bfda88eb20533e07369936e7a188382d2a3ae64b8
AsyncRAT
b12de14a65edbfc18314e52d96f7617e2052e10bfeaba15926efd80b2799d61d
AsyncRAT
error
AsyncRAT
+ 1'619 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion evasion execution persistence rat trojan
Link:
https://tria.ge/reports/260318-kp1e5aev7v/
Behaviour
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
UAC bypass
Xworm
Xworm family
Malware Config
C2 Extraction:
slashxx.duckdns.org:4040
Dropper Extraction:
http://156.233.71.230/EN/Exe/nhFRAN/interac.ico
http://156.233.71.230:8080/EN/Exe/nhFRAN/interac.exe
https://github.com/moyousry95/slash2/raw/refs/heads/main/Security.exe
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e63b6b875326/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e63b6b875326bad1c16a3b079e02a83daf2c73a5c5bccc67a891b6de6c09d84f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Batch (bat) bat e63b6b875326bad1c16a3b079e02a83daf2c73a5c5bccc67a891b6de6c09d84f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3798112/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57892/

Comments