MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195
SHA3-384 hash:	81672c8eb9fefdc2a7b7f0cc1617a9d72bd7005f30759b5981a2cc9ddeee877419869f678da500b19ac6fb6eab984c3f
SHA1 hash:	bfc4382950ddf0387987d4acd4dc9d158edd29df
MD5 hash:	f59e22d726c90007cd16d54dd6e98985
humanhash:	maryland-king-snake-undress
File name:	f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	1'577'984 bytes
First seen:	2026-02-05 14:56:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e282a991ee7c244b6117f270d1f2b833 (1 x RemcosRAT, 1 x AsyncRAT)
ssdeep	24576:mXGFoK1Hx/daVu7uS4jD9r6HhP6khs4Mn3Ge0IcYKrxSo:mXGNx/Cr6Hhf+4MnZ0NxSo
Threatray	1 similar samples on MalwareBazaar
TLSH	T16A75C032A1908437E12356385C27E7B8152ABD202F1B9845FEDC5E4C8F7778179EA39B
TrID	35.4% (.EXE) Win64 Executable (generic) (10522/11/4) 22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.1% (.EXE) Win32 Executable (generic) (4504/4/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	b0b0b6b2b2b6b033 (3 x RemcosRAT, 3 x Formbook, 2 x AgentTesla)
Reporter	adrian__luca
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195

Verdict:

Malicious activity

Analysis date:

2026-02-05 15:42:18 UTC

Tags:

delphi auto-sch xworm netreactor

Link:

https://app.any.run/tasks/03357f61-26ec-4a2d-8237-e079555ce870

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51832/

Detection(s):

Win.Trojan.Modiloader-10042434-0

PUA.Win.Adware.Dealply-6611681-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6984afddae5379bb6609bdce

Tags:

delphi emotet

Verdict:

Malicious

Labled as:

TrojanDownloader/ModiLoader.a

Link:

https://www.hybrid-analysis.com/sample/f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-07T12:14:00Z UTC

Last seen:

2026-02-07T09:05:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/55b61498-34ca-44ba-95d0-10a6ab6c7f26

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2026-01-07 22:29:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6zoolzns5cdpgxrpj4eulynukvwvzwtvciogipzahockhvmlcgkq._file

Verdict:

malicious

Label(s):

asyncrat

dbatloader

unc_loader_001

Similar samples:

error

AsyncRAT

f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195

AsyncRAT

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution persistence rat trojan

Link:

https://tria.ge/reports/260205-sbsgcsgv2a/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

216.250.252.159:2404

Unpacked files

SH256 hash:

f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195

MD5 hash:

f59e22d726c90007cd16d54dd6e98985

SHA1 hash:

bfc4382950ddf0387987d4acd4dc9d158edd29df

Link:

https://www.unpac.me/results/be3ff065-3efa-4063-afb8-6906529a2ac6/

SH256 hash:

b9cc1ddcc3ea6e5afe8bf89e8520e3b9edc96859d5d9eb48a43b8aa22006f562

MD5 hash:

c7a46d146e75861c82e9219a11bfd9d8

SHA1 hash:

2b55016bbfa254f0e02a530c3f7a0dc451cc7f9b

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/be3ff065-3efa-4063-afb8-6906529a2ac6/

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/be3ff065-3efa-4063-afb8-6906529a2ac6/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f65ce5e5b2e8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f65ce5e5b2e886f35e2f4f0945e1b4556d5cda75121c643f203b84a3d58b1195

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51832/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample