MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e808bb41fd22c4c46309e916d3da8b5c008b2129c0b3ef35f699a96e730c1ef5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 20 File information Comments

SHA256 hash: e808bb41fd22c4c46309e916d3da8b5c008b2129c0b3ef35f699a96e730c1ef5
SHA3-384 hash: e54358fda611d080350924b33e7f5973d780e54ed76b32247c51dc85726bede5a9cfe5ddfc2f219e9fd47d86c5a00e3a
SHA1 hash: a9205dec1737c857e26fcc18c303c7a0f490d89f
MD5 hash: 7c3c74f9f07dcfbf75a821acdbe66e63
humanhash: sierra-football-colorado-eighteen
File name:PARKING9288-BANGKOK-THRFQ.vbe
Download: download sample
Signature AsyncRAT
File size:733'653 bytes
First seen:2026-01-09 17:24:06 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 12288:hTLNRheoY/n+YTBGfb/mFTLNRheoY/n+YTBGfb/mJTLNRheoY/n+YTBGfb/mh:hfb3I+YQiFfb3I+YQiJfb3I+YQih
Threatray 2 similar samples on MalwareBazaar
TLSH T13BF4F11645C41FE9CF6C8A2480FE191EE3A08B5B5463758ABF977D4AEFFB908020B1D5
Magika vba
Reporter abuse_ch
Tags:AsyncRAT RAT vbe

Intelligence


File Origin
# of uploads :
1
# of downloads :
224
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Tags:
autorun dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
attrib base64 evasive evasive obfuscated obfuscated persistence powershell reconnaissance
Verdict:
Malicious
File Type:
vbs
First seen:
2026-01-08T04:18:00Z UTC
Last seen:
2026-01-11T10:41:00Z UTC
Hits:
~100
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic Backdoor.MSIL.XWorm.c PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Agent.sb Trojan.VBS.SAgent.sb HEUR:Worm.Script.Generic Backdoor.Win32.Androm Backdoor.MSIL.XWorm.b Backdoor.MSIL.XWorm.a Backdoor.Agent.TCP.C&C Trojan-Downloader.JS.Cryptoload.sb
Result
Threat name:
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected malicious Powershell script
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops VBS files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1847533 Sample: PARKING9288-BANGKOK-THRFQ.vbe Startdate: 09/01/2026 Architecture: WINDOWS Score: 100 76 kabla.duckdns.org 2->76 78 keyauth.win 2->78 92 Suricata IDS alerts for network traffic 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 100 11 other signatures 2->100 10 wscript.exe 1 5 2->10         started        14 wscript.exe 1 2->14         started        16 wscript.exe 2->16         started        18 wscript.exe 3 1 2->18         started        signatures3 98 Uses dynamic DNS services 76->98 process4 file5 66 C:\Users\user\...\SystemMaintenance.vbs, ASCII 10->66 dropped 68 C:\Temp\script_zZFSpcm9CSbv_48091.38.ps1, ASCII 10->68 dropped 70 C:\Temp\initialized.marker, ASCII 10->70 dropped 110 Suspicious powershell command line found 10->110 112 Wscript starts Powershell (via cmd or directly) 10->112 114 Windows Shell Script Host drops VBS files 10->114 118 3 other signatures 10->118 20 powershell.exe 16 10->20         started        23 cmd.exe 1 10->23         started        25 cmd.exe 1 10->25         started        72 C:\Temp\script_gofiUP3MUuP0_48104.56.ps1, ASCII 14->72 dropped 116 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->116 27 powershell.exe 15 14->27         started        74 C:\Temp\script_DLii6gszDoJQ_48112.65.ps1, ASCII 16->74 dropped 29 powershell.exe 13 16->29         started        signatures6 process7 signatures8 102 Writes to foreign memory regions 20->102 104 Found suspicious powershell code related to unpacking or dynamic code loading 20->104 106 Injects a PE file into a foreign processes 20->106 31 CasPol.exe 2 6 20->31         started        35 conhost.exe 20->35         started        108 Uses cmd line tools excessively to alter registry or file data 23->108 37 conhost.exe 23->37         started        39 attrib.exe 1 23->39         started        41 conhost.exe 25->41         started        43 attrib.exe 1 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        process9 dnsIp10 80 kabla.duckdns.org 192.169.69.26, 26000 WOWUS United States 31->80 82 103.83.86.58, 26000, 49725 GELEXIY-AS-INGelexiyCabNetIN India 31->82 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->84 86 Tries to steal Mail credentials (via file / registry access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 31->88 90 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 31->90 49 csc.exe 31->49         started        52 csc.exe 31->52         started        54 CasPol.exe 31->54         started        signatures11 process12 file13 64 C:\Users\user\AppData\Local\Temp\CasPol.exe, PE32 49->64 dropped 56 conhost.exe 49->56         started        58 cvtres.exe 49->58         started        60 conhost.exe 52->60         started        62 cvtres.exe 52->62         started        process14
Verdict:
Malware
YARA:
2 match(es)
Tags:
ADODB.Stream Batch Command MSXML2.DOMDocument.6.0 PowerShell PowerShell Call Scripting.Dictionary Scripting.FileSystemObject VBScript VBScript.RegExp WScript.Network WScript.Shell
Threat name:
Win32.Trojan.AgentTesla
Status:
Malicious
First seen:
2026-01-08 10:40:17 UTC
File Type:
Text (VBS)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:xworm collection defense_evasion discovery execution persistence rat trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Hide Artifacts: Hidden Files and Directories
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
kabla.duckdns.org:26000
103.83.86.58:26000
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_tiny_vbs
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Disable_Defender
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:Njrat
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:win_xworm_w0
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:XWorm
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm_kingrat
Author:jeFF0Falltrades

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments