MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88
SHA3-384 hash: 86fd87575516e4d071c75b8fa72b376a14c7c66670ddb52fc7814e48f16d171ffe23ff984bccf3f4e2afc468f4e3cddd
SHA1 hash: 65804d32dc3694e8ec185051809a8342cf5d5d99
MD5 hash: 5cfc96efa07e34454e5a80a3c0202c98
humanhash: eight-leopard-avocado-low
File name:k3t05Da.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:6'187'008 bytes
First seen:2025-03-22 13:12:22 UTC
Last seen:2025-03-23 10:52:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 98304:vWRINcH5pNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6EU:ORINg9GeDVI5DKBWZlkgJedYs6LtYdEV
Threatray 8 similar samples on MalwareBazaar
TLSH T16056335E7941AB9FCD0B4431DD385DBCA770B9332703832B601321AD5E6EA56EF680E6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 063e58b870614264 (1 x AsyncRAT)
Reporter aachum
Tags:AsyncRAT exe xworm


Avatar
iamaachum
http://176.113.115.7/files/5169948862/k3t05Da.exe

XWorm C2: httpss.myvnc.com:1907

Intelligence

File Origin
# of uploads :
3
# of downloads :
433
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-03-22 12:58:20 UTC
Tags:
opendir loader amadey botnet stealer lumma darkvision remote themida rdp payload stegocampaign ta558 apt rat
Link:
https://app.any.run/tasks/3bb747bd-ed5f-4a69-b0ac-15643864f595

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67deb76fc8a812f780e80b19
Tags:
packed dotnet agile
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Launching a file downloaded from the Internet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67deb762a175d3177344de72/reports/ec171b96-0c63-4bb6-8102-18afd8bce5e2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cbc246d8-f504-4ebb-b252-fc7dd849f0a0
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1645771
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops script or batch files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645771 Sample: k3t05Da.exe Startdate: 22/03/2025 Architecture: WINDOWS Score: 100 65 httpss.myvnc.com 2->65 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 18 other signatures 2->87 8 k3t05Da.exe 15 10 2->8         started        13 ohbuGGy.exe 14 5 2->13         started        15 cmd.exe 2->15         started        signatures3 process4 dnsIp5 69 196.251.91.42, 49695, 49697, 49698 Web4AfricaZA Seychelles 8->69 57 C:\Users\user\AppData\Roaming\ohbuGGy.exe, PE32 8->57 dropped 59 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 8->59 dropped 61 C:\Users\user\...\ohbuGGy.exe:Zone.Identifier, ASCII 8->61 dropped 63 3 other malicious files 8->63 dropped 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->91 93 Query firmware table information (likely to detect VMs) 8->93 95 Uses schtasks.exe or at.exe to add and modify task schedules 8->95 97 Adds a directory exclusion to Windows Defender 8->97 17 cmd.exe 2 8->17         started        21 powershell.exe 23 8->21         started        23 k3t05Da.exe 2 8->23         started        26 schtasks.exe 1 8->26         started        99 Multi AV Scanner detection for dropped file 13->99 101 Injects a PE file into a foreign processes 13->101 103 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->103 28 cmd.exe 13->28         started        30 schtasks.exe 13->30         started        32 ohbuGGy.exe 13->32         started        105 Suspicious powershell command line found 15->105 34 conhost.exe 15->34         started        36 powershell.exe 15->36         started        file6 signatures7 process8 dnsIp9 55 C:\Users\user\AppData\Roaming\...\tetras.bat, Unicode 17->55 dropped 71 Suspicious powershell command line found 17->71 73 Drops script or batch files to the startup folder 17->73 75 Bypasses PowerShell execution policy 17->75 38 conhost.exe 17->38         started        41 powershell.exe 17->41         started        77 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->77 79 Loading BitLocker PowerShell Module 21->79 43 conhost.exe 21->43         started        45 WmiPrvSE.exe 21->45         started        67 httpss.myvnc.com 193.183.217.71, 1907, 49696 TELIANETTeliaCarrierEU Sweden 23->67 47 conhost.exe 26->47         started        49 conhost.exe 28->49         started        51 powershell.exe 28->51         started        53 conhost.exe 30->53         started        file10 signatures11 process12 signatures13 89 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->89
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-03-21 14:20:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
40
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7mh6pzywzlz6bxfr7o3ierdg7ad2vbjjlp6h5vyen7v7gmy5voea._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
e21eb4119978ec76259ccdffe25f75dfbcdf0ba17b350fd036e9bd0998cb6c1c
AsyncRAT
e56837db56867e394ea649124f410a11c9086df6476ce168e6943376ae6c89b9
AsyncRAT
error
AsyncRAT
fe6064e70c302549004b15d0f89c94776ab0e1ce0c8b6be604e52f4d7beac73d
AsyncRAT
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm agilenet defense_evasion discovery execution rat themida trojan
Link:
https://tria.ge/reports/250322-qf5alstset/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Themida packer
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
httpss.myvnc.com:1907
Dropper Extraction:
http://196.251.91.42/up/uploads/encryption02.jpg
Gathering data
Unpacked files
SH256 hash:
fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88
MD5 hash:
5cfc96efa07e34454e5a80a3c0202c98
SHA1 hash:
65804d32dc3694e8ec185051809a8342cf5d5d99
Link:
https://www.unpac.me/results/b4f422a1-7905-4f24-8589-4ed89b39d5bf/
SH256 hash:
8935bed7b2d475866244eda408e1a60f011c330bca44f52d3b01f533198f56e4
MD5 hash:
4c0b91ccab0b441981ac7fe6a35199ac
SHA1 hash:
feca5f5562fb8d7f872ef12acc9828d0a3944ce7
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Link:
https://www.unpac.me/results/b4f422a1-7905-4f24-8589-4ed89b39d5bf/
SH256 hash:
c8c9a86f70c74b93db5398400e00b95b334853a5e842d38158bf272992619f65
MD5 hash:
e63ef58d892566c7c6a97822991d0283
SHA1 hash:
172067dcd36d0396a2feeef99a2dfbcffffa368c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b4f422a1-7905-4f24-8589-4ed89b39d5bf/
SH256 hash:
49e0bce03a31e6590410602e96c0fa72d52b2c85ad7e692c374f4aa9142e6131
MD5 hash:
611a372c1e8529381e113f40be3952ee
SHA1 hash:
246904d3806ea60bcb503a201e1bd63a0e76765e
Detections:
win_xworm_w0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/b4f422a1-7905-4f24-8589-4ed89b39d5bf/
Parent samples :
fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88
49e0bce03a31e6590410602e96c0fa72d52b2c85ad7e692c374f4aa9142e6131
SH256 hash:
ed7090c87927967c08f1c0b861b1c21ed1cd0885227c31bb4e52e857f657b667
MD5 hash:
ab04dbde3ab78a30cd8ef476fd5e2ee5
SHA1 hash:
2ea3e35075a11b8f762272f19d4efae3caeafc5e
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b4f422a1-7905-4f24-8589-4ed89b39d5bf/
Parent samples :
cea3a71806ecfdd4c4ba8a81c7cab7e2e3e30cd1da823cd3e4b145a949cc3617
1c3857b716fc65dbd1ffdc7e06b1d2b0420537ac4f113d7ece283b64fee8c976
8a54d3c9af3aa73ee06abc101d4c1791adbefdd205a1d576cfcfab423d441c87
714169ae2bbd3503ff72eda33d7fdff7cecd5f39fcea5c49e2f4ad4562aabb3d
20aed1d218b695d49699aa9afb2f2e036b24ecf0654ac8e1253a99037ec44c1e
c3f9616bfc8b4e899bc5bebb87ff26a4582f5ce8387388d7a6581268b02298a5
a9a87510d6ea1ba4e8ac3d7fe1fc5099a356b6d99fe729d384cbf2b665a653a5
35ebe17f33803f292a173b8652fdd9c69be8e6b89bc9897776e41c3a721b4211
fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88
8fff9a173774de4ef78139d49e3f62b83fdf1b2a542c257567e76c7b82ef5e5f
4f30ff34b7783623eeb7e213fc6a4bfe560e4607271791144262a3e5e3b9b1ed
e6f8c55e28db20fd767010b1bae587df65c60c8902216e64f4dbcf2d885c72b5
SH256 hash:
aae3025220e4753ad58bb398299685f8176333b4549cce736452f086e942b36b
MD5 hash:
d3e5f1c49f3b935505b717970febb1da
SHA1 hash:
fb04e74c72ebabaf97248a2023b31e32273afcf7
Link:
https://www.unpac.me/results/b4f422a1-7905-4f24-8589-4ed89b39d5bf/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb0fe7e716ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_dbae6542
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

(this sample)

  
Link
https://tria.ge/250322-p3pb8ssygw/behavioral1
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3487089/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments