MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e
SHA3-384 hash:	292bab42b732498cfedf9a41c0d7de79d584ce36d38c9498d14aa380f4d17a9e61fe0af4ccdad9abd5538c761a5ec782
SHA1 hash:	3de25a909a7d8f20aaa4d9aba60aeb501c247f86
MD5 hash:	e40eb702f369e5decfb33b3d78bd4b0c
humanhash:	enemy-alpha-spring-jersey
File name:	SecuriteInfo.com.Win64.MalwareX-gen.27060.22350
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	30'208 bytes
First seen:	2024-09-30 01:22:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8c6422f99cddde5bd8d239051984ad7a (1 x AsyncRAT)
ssdeep	384:pWIooQkbZYGM0D4DTrMiRShFRDwSH3I6ELjTo0z2d6GHnGtI4qk9QlEM69+j5P0u:nQFGM0D4DKF9wHmhAvP9Ql369aR0
TLSH	T1BBD22A67276904ECE236937C85A35A16DAB2BC610742E3CF43A192060F377D1EEBDE11
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

385

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

XWorm-Rat-Remote-Administration-Tool--main.zip

Verdict:

Malicious activity

Analysis date:

2024-08-29 02:03:02 UTC

Tags:

discord telegram

Link:

https://app.any.run/tasks/ab46a0c1-5cf2-4240-979b-e2c56370dca0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66fac3dd1fc3f42f04e861f5

Tags:

Exploit Crysan Virus Msil

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm anti-vm configsecuritypolicy evasive hacktool lolbin microsoft_visual_cc mpcmdrun msconfig regedit

Link:

https://www.filescan.io/uploads/66f9fd782b9f18a2e40b0e50/reports/da43ac4f-a744-469c-9a63-c65556e36f6f/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bc16c909-969a-4c18-90d8-4e3882f02e85

Result

Threat name:

AsyncRAT, DcRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1522429

Signature

.NET source code references suspicious native API functions

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AsyncRAT

Yara detected DcRat

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e/

Threat name:

Win64.Backdoor.Asyncrat

Status:

Malicious

First seen:

2024-08-26 01:59:12 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 37 (45.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c2rkxy7u6laalyqggggk6n5dm3qaqt5izkcwd43ef6qlj4xqjj7a._file

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:runtimebroker rat

Link:

https://tria.ge/reports/240930-brs96avckb/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Legitimate hosting services abused for malware hosting/C2

Executes dropped EXE

Downloads MZ/PE file

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

37.18.62.18:8060

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3d2a39c5-efea-4f29-a980-4876577ae7e4

Unpacked files

SH256 hash:

16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e

MD5 hash:

e40eb702f369e5decfb33b3d78bd4b0c

SHA1 hash:

3de25a909a7d8f20aaa4d9aba60aeb501c247f86

Link:

https://www.unpac.me/results/8d6ab23d-e0e5-4027-962f-0ce1faf947ea/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle WININET.dll::InternetCloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	api-ms-win-crt-runtime-l1-1-0.dll::_get_narrow_winmain_command_line
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::GetUserNameW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample