MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff6d69cb519de3d4d0fda0f19e45ccb5fa5a7a4e18246fe59c1f58fdf1a298ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 20

Intelligence 20 IOCs YARA 5 File information Comments

SHA256 hash:	ff6d69cb519de3d4d0fda0f19e45ccb5fa5a7a4e18246fe59c1f58fdf1a298ae
SHA3-384 hash:	cf579cf71f6f68839112e06a24a7b230fb59bd3b98a144678e39e5797ec56924df2bace2b264c084284e369ee93659f3
SHA1 hash:	b22a8360b1adf92aaa824b44f8c255a605a50c7d
MD5 hash:	cb8025d3f84a526c4746b4445366e20c
humanhash:	snake-thirteen-carpet-fifteen
File name:	SecuriteInfo.com.W32.MSIL_Kryptik.MTS.gen.Eldorado.30530.24300
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	581'632 bytes
First seen:	2025-11-21 11:33:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'859 x AgentTesla, 19'785 x Formbook, 12'305 x SnakeKeylogger)
ssdeep	12288:4QBA4V42GFqYuyvZ7DPT8g6CgdwskrlzhyKFnuqPyPbJBbz6G:4OHV42+nuKtpULcnVyP1Bn6
Threatray	1'714 similar samples on MalwareBazaar
TLSH	T131C40164225BDE03E4A31FF41631E2B463B86E8D9822E3175FC63DEFB926B545901783
TrID	35.4% (.EXE) Win64 Executable (generic) (10522/11/4) 22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.1% (.EXE) Win32 Executable (generic) (4504/4/1) 6.9% (.ICL) Windows Icons Library (generic) (2059/9) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki XWorm

Details

RoboSki

a Base64 + XOR/Sub-decrypted component, its associated key, a mutex, a filename, and ReZer0 configuration parameters including: a load type, a download URL and filename (if configured), an interval (if configured), and varying flags

RoboSki

an extracted ReZer0 payload

XWorm

a version, a filepath, a mutex, a c2 socket address or a dead-drop resolver URL, and possibly cryptocurrency wallets and a Telegram URL

Link:

https://research.acce.ciphertechsolutions.com/results/d2c7e9b7-c7de-45e2-9c32-68c4561bbb6b/

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.MSIL_Kryptik.MTS.gen.Eldorado.30530.24300

Verdict:

Malicious activity

Analysis date:

2025-11-21 11:36:25 UTC

Tags:

remote xworm auto-sch-xml stealer

Link:

https://app.any.run/tasks/f5fc7570-7e67-4dc7-9d0a-1ba818768ffb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/38933/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.MTS.gen.Eldorado.30530.24300.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69204e3d8cf6736ec0b0046f

Tags:

micro shell sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Sending a TCP request to an infection source

Setting a global event handler for the keyboard

Connection attempt to an infection source

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/69204e3a5d3feebe12d6c695/reports/2c6332ae-70d6-4f76-b8df-be50ca4db574/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ff6d69cb519de3d4d0fda0f19e45ccb5fa5a7a4e18246fe59c1f58fdf1a298ae

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-21T08:02:00Z UTC

Last seen:

2025-11-23T08:39:00Z UTC

Hits:

~100

Detections:

Trojan.MSIL.Inject.sb Backdoor.MSIL.XWorm.a PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Injector.gen HEUR:Backdoor.MSIL.XWorm.gen Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Taskun.sb Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.b Trojan.MSIL.Taskun.sb Backdoor.Agent.TCP.C&C

Link:

https://opentip.kaspersky.com/ff6d69cb519de3d4d0fda0f19e45ccb5fa5a7a4e18246fe59c1f58fdf1a298ae/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/69537f32-2046-4c85-8d24-5f95879f6bda

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ff6d69cb519de3d4d0fda0f19e45ccb5fa5a7a4e18246fe59c1f58fdf1a298ae

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.15 Win 32 Exe x86

Link:

https://app.malva.re/file/cb8025d3f84a526c4746b4445366e20c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff6d69cb519de3d4d0fda0f19e45ccb5fa5a7a4e18246fe59c1f58fdf1a298ae/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/ff6d69cb519de3d4d0fda0f19e45ccb5fa5a7a4e18246fe59c1f58fdf1a298ae

Threat name:

ByteCode-MSIL.Trojan.TelegramRAT

Status:

Malicious

First seen:

2025-11-21 11:34:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=75wwts2rtxr5juh5udyz4romwx5fu6sodasg7zm4d5mp34nctcxa._file

Verdict:

malicious

Label(s):

xworm

unc_loader_037

unc_loader_078

AsyncRAT

34745582e71cb5cb17066160b4d3ce3fb54522266011c393f100d1a47cc43dd8

AsyncRAT

4bc7c3ee641390b78c356aef216d987fa7eba48192678f73048561762b11a5a9

AsyncRAT

77cc53003df98b523e5b8c8ef50877f9d31522a3b7082e02ebd77463c834026e

AsyncRAT

error

AsyncRAT

+ 1'704 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:hijackloader family:xworm collection defense_evasion discovery execution loader persistence pyinstaller rat spyware stealer trojan upx

Link:

https://tria.ge/reports/251121-npklfsvpct/

Behaviour

Kills process with taskkill

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Detects Pyinstaller

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

UPX packed file

Accesses Microsoft Outlook profiles

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Detects HijackLoader (aka IDAT Loader)

HijackLoader, IDAT loader, Ghostulse,

Hijackloader family

Xworm

Xworm family

Malware Config

C2 Extraction:

91.92.242.140:5009

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/362918f5-73e4-41d4-8abf-675e6ab23676

Unpacked files

SH256 hash:

ff6d69cb519de3d4d0fda0f19e45ccb5fa5a7a4e18246fe59c1f58fdf1a298ae

MD5 hash:

cb8025d3f84a526c4746b4445366e20c

SHA1 hash:

b22a8360b1adf92aaa824b44f8c255a605a50c7d

Link:

https://www.unpac.me/results/8a1cb4f9-96d5-40f8-a6e1-9199831f2581/

SH256 hash:

111e88b06ab4bda9dcea292177f2fbf656f056ee3bc315aea8861653872867a4

MD5 hash:

ca046727926a963297a6f802f7f59312

SHA1 hash:

49c2d05a1f1ea2530c2b54c1450b70ab1595175c

Link:

https://www.unpac.me/results/8a1cb4f9-96d5-40f8-a6e1-9199831f2581/

SH256 hash:

5e70a221403d28ef1a34a4c440e3a0c2a080e772b1b864aea1d8777cb0082925

MD5 hash:

c815a0251a79da11168359eb8e172fea

SHA1 hash:

8429f777621ef0213bdbce2e5359e16cfa1d9962

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/8a1cb4f9-96d5-40f8-a6e1-9199831f2581/

SH256 hash:

c65072621027cbe272c743d59c1b01da6f6cc609e2356e0fffc94269c36db8aa

MD5 hash:

bafed78576487549feb8e866c69e5ecb

SHA1 hash:

9353df99350834894b4cd42bac0fa7c4e17d9267

Detections:

XWorm

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/8a1cb4f9-96d5-40f8-a6e1-9199831f2581/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ff6d69cb519d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ff6d69cb519de3d4d0fda0f19e45ccb5fa5a7a4e18246fe59c1f58fdf1a298ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win32_dotnet_form_obfuscate Create hunting rule
Author:	Reedus0
Description:	Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/38933/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample