MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f54724bd421a019f3968d6cb97cc2bd23b1564817e2492908e68f1666c0485db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	f54724bd421a019f3968d6cb97cc2bd23b1564817e2492908e68f1666c0485db
SHA3-384 hash:	0ccb22875e09139c3d22f7b00b5a5333d018f03e15b0794c5fac08de0caedd96c1a2a6c18ad3b760e2c5b9e428a2f310
SHA1 hash:	7bd10c87194ceca2a725571e7cf9b06f20d38b11
MD5 hash:	f7d254b485ee1afb2a8823a6c1d80344
humanhash:	victor-video-moon-five
File name:	test.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	54'272 bytes
First seen:	2025-12-31 02:26:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:KA9bmLJRpMgLfiKbNuzao1PILIu2uB96u:NBsJRCBONPo1QL5B96u
Threatray	1'521 similar samples on MalwareBazaar
TLSH	T12B33012761A40973E492C6352D7DA18AC2B3FD438D3F890FD7C90A6D642660BA733766
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	BastianHein
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Lime XWorm

Details

Lime

a decrypted component and its AES-CBC decryption parameters

XWorm

a version, a filepath, a mutex, a c2 socket address or a dead-drop resolver URL, and possibly cryptocurrency wallets and a Telegram URL

Link:

https://research.acce.ciphertechsolutions.com/results/01c619cf-2a84-4bf1-b42a-484cbb6f7396/

Malware family:

n/a

ID:

File name:

test.exe

Verdict:

Malicious activity

Analysis date:

2025-12-31 00:58:35 UTC

Tags:

auto-reg auto-startup xworm

Link:

https://app.any.run/tasks/e575774b-18fe-40f4-91f8-b944b20f3ec3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/46624/

Detection(s):

Win.Packed.Razy-7334624-0

ditekSHen.INDICATOR.Packed.NyanXCAT-CSharpLoader.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6954753ae148d42004de098c

Tags:

autorun packed shell sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult crypt limecrypter nanocore packed packed razy unsafe

Link:

https://www.filescan.io/uploads/69548a00127d6a14e0c97957/reports/6e387607-1e84-4a15-ba2c-d45be91d5560/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/f54724bd421a019f3968d6cb97cc2bd23b1564817e2492908e68f1666c0485db

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-30T22:03:00Z UTC

Last seen:

2025-12-31T01:49:00Z UTC

Hits:

~10

Detections:

Backdoor.MSIL.XWorm.a Trojan-Dropper.Win32.Injector.sb Trojan.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Azorult.gen HEUR:Trojan.Win32.Generic PDM:Trojan.Win32.Tasker.cust HEUR:Trojan.MSIL.Injector.gen Backdoor.Win32.Androm Trojan.Win32.Agent.sb Backdoor.MSIL.XWorm.b

Link:

https://opentip.kaspersky.com/f54724bd421a019f3968d6cb97cc2bd23b1564817e2492908e68f1666c0485db/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c5f9ea1d-078b-4408-af70-b3a337c91b8f

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f54724bd421a019f3968d6cb97cc2bd23b1564817e2492908e68f1666c0485db

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.01 Win 32 Exe x86

Link:

https://app.malva.re/file/f7d254b485ee1afb2a8823a6c1d80344

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f54724bd421a019f3968d6cb97cc2bd23b1564817e2492908e68f1666c0485db/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/f54724bd421a019f3968d6cb97cc2bd23b1564817e2492908e68f1666c0485db

Threat name:

Win32.Backdoor.NanoCore

Status:

Malicious

First seen:

2025-12-31 00:58:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 36 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6vdsjpkcdiaz6oli23fzptbl2i5rkzebpysjfeeondywm3aeqxnq._file

Verdict:

malicious

Label(s):

xworm

AsyncRAT

6885d7a55f1e3b5fcf0c7adcfdfcff5826e66cb999573a5d68f315e12d52535d

AsyncRAT

8b6bfb75c79e5c9e864d049520dbfa4524ca66177cbdea32a6671bc922a0e524

AsyncRAT

cc06b15ba726eef22c4645294a7499a1ffb11b7234b2f0b6a088b89c1697bb37

AsyncRAT

ff53ea407afca08ff7555f895686fb71cc858cfd51725efc6a678c2b202f31f4

AsyncRAT

+ 1'511 additional samples on MalwareBazaar

Gathering data

Verdict:

Malicious

Tags:

Win.Packed.Razy-7334624-0

YARA:

n/a

Link:

https://app.threat.zone/submission/b1d8f637-8bc3-411c-8be9-3be30aa9d616

Unpacked files

SH256 hash:

f54724bd421a019f3968d6cb97cc2bd23b1564817e2492908e68f1666c0485db

MD5 hash:

f7d254b485ee1afb2a8823a6c1d80344

SHA1 hash:

7bd10c87194ceca2a725571e7cf9b06f20d38b11

Link:

https://www.unpac.me/results/e987fb10-6240-463d-8318-7248eab677bf/

SH256 hash:

8b6bfb75c79e5c9e864d049520dbfa4524ca66177cbdea32a6671bc922a0e524

MD5 hash:

975ed8f12c2d404445e325ef36390f32

SHA1 hash:

8b953f44948369c4413a7f836bbac2157504322b

Detections:

win_xworm_a0

win_xworm_w0

XWorm

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/e987fb10-6240-463d-8318-7248eab677bf/

Parent samples :

8b6bfb75c79e5c9e864d049520dbfa4524ca66177cbdea32a6671bc922a0e524
6885d7a55f1e3b5fcf0c7adcfdfcff5826e66cb999573a5d68f315e12d52535d
cc06b15ba726eef22c4645294a7499a1ffb11b7234b2f0b6a088b89c1697bb37
f54724bd421a019f3968d6cb97cc2bd23b1564817e2492908e68f1666c0485db

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f54724bd421a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f54724bd421a019f3968d6cb97cc2bd23b1564817e2492908e68f1666c0485db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_NyanXCat_CSharpLoader Create hunting rule
Author:	ditekSHen
Description:	Detects .NET executables utilizing NyanX-CAT C# Loader

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/46624/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample