MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a3693ebd2d668741a8b3f6921ca172d6d72b62710711f8aade543e718bc1db2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a3693ebd2d668741a8b3f6921ca172d6d72b62710711f8aade543e718bc1db2
SHA3-384 hash: 3d9bdcda515f966a3ccbfa33b9940dba087cd10238b90881dc77f1afef6982923bcd2c79599f108251dcbd4f41b6eb1b
SHA1 hash: b4de34ba22fa8a80ab8935a7419b0af09e253786
MD5 hash: 93b415ddc8d72917ec53b3345d4ecdf1
humanhash: four-black-lion-uniform
File name:SecuriteInfo.com.Win64.Evo-gen.1756.25811
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:17'916'077 bytes
First seen:2024-04-13 18:18:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a3d629f5a29590a5e3c40a85e9084e58 (1 x AsyncRAT, 1 x DanaBot)
ssdeep 196608:E1EkmzneiHDfyGgMwBdnpkYRMASENKeWzrkSz/xhHfR1FjvZ26jalCBV+dajflsr:WEkCnJDfDgMc6h4KhkePH9njaAdsTvH
TLSH T1E907332BA0120886C0E4D675D94F973DB0B2F9814BC4BA85EA3CDF391F29D957B3AD44
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e8b0733371b2d0a8 (1 x AsyncRAT)
Reporter SecuriteInfoCom
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
1a3693ebd2d668741a8b3f6921ca172d6d72b62710711f8aade543e718bc1db2.exe
Verdict:
Malicious activity
Analysis date:
2024-04-13 18:21:45 UTC
Tags:
python miner silentcryptominer xworm xmrig
Link:
https://app.any.run/tasks/b2c3cc15-93c4-40d9-bb31-b8f26d5f17cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Running batch commands
Creating a process with a hidden window
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto expand lolbin miner overlay packed packed pyinstaller pyinstaller
Link:
https://www.filescan.io/uploads/661acc974237b7a997bd0145/reports/81330df3-2a9d-4dd6-b5b6-09854330d778/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1a3693ebd2d668741a8b3f6921ca172d6d72b62710711f8aade543e718bc1db2
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3eb69649-a8de-4c68-b31d-5fefa0103439
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1425503
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Found malware configuration
Found pyInstaller with non standard icon
Hides threads from debuggers
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Stop EventLog
Sigma detected: Suspicious Script Execution From Temp Folder
Uses powercfg.exe to modify the power settings
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1425503 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 13/04/2024 Architecture: WINDOWS Score: 100 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for URL or domain 2->103 105 12 other signatures 2->105 10 SecuriteInfo.com.Win64.Evo-gen.1756.25811.exe 121 2->10         started        14 OneDriver.exe 2->14         started        process3 file4 83 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 10->83 dropped 85 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 10->85 dropped 87 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 10->87 dropped 89 98 other files (94 malicious) 10->89 dropped 109 Contains functionality to infect the boot sector 10->109 111 Adds a directory exclusion to Windows Defender 10->111 113 Found pyInstaller with non standard icon 10->113 16 SecuriteInfo.com.Win64.Evo-gen.1756.25811.exe 1 10->16         started        115 Multi AV Scanner detection for dropped file 14->115 signatures5 process6 file7 77 C:\Users\user\AppData\Local\...\build.exe, PE32 16->77 dropped 95 Adds a directory exclusion to Windows Defender 16->95 97 Hides threads from debuggers 16->97 20 build.exe 16->20         started        23 powershell.exe 23 16->23         started        26 powershell.exe 23 16->26         started        28 4 other processes 16->28 signatures8 process9 file10 79 C:\Users\user\AppData\Local\...\OneDriver.exe, PE32+ 20->79 dropped 81 C:\Users\user\...\MicrosoftService.exe, PE32 20->81 dropped 30 OneDriver.exe 20->30         started        34 MicrosoftService.exe 20->34         started        107 Loading BitLocker PowerShell Module 23->107 36 conhost.exe 23->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        42 conhost.exe 28->42         started        44 conhost.exe 28->44         started        46 conhost.exe 28->46         started        signatures11 process12 file13 91 C:\ProgramData\OneDriver.exe, PE32+ 30->91 dropped 117 Uses powercfg.exe to modify the power settings 30->117 119 Adds a directory exclusion to Windows Defender 30->119 121 Modifies power options to not sleep / hibernate 30->121 48 powershell.exe 30->48         started        51 cmd.exe 30->51         started        53 cmd.exe 30->53         started        57 13 other processes 30->57 123 Bypasses PowerShell execution policy 34->123 55 powershell.exe 34->55         started        signatures14 process15 signatures16 93 Loading BitLocker PowerShell Module 48->93 59 conhost.exe 48->59         started        61 conhost.exe 51->61         started        63 wusa.exe 51->63         started        73 2 other processes 53->73 65 conhost.exe 55->65         started        67 conhost.exe 57->67         started        69 conhost.exe 57->69         started        71 conhost.exe 57->71         started        75 10 other processes 57->75 process17
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1a3693ebd2d668741a8b3f6921ca172d6d72b62710711f8aade543e718bc1db2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a3693ebd2d668741a8b3f6921ca172d6d72b62710711f8aade543e718bc1db2/
Threat name:
Win64.Backdoor.Xworm
Create hunting rule
Status:
Malicious
First seen:
2024-04-06 21:07:56 UTC
File Type:
PE+ (Exe)
Extracted files:
1044
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=di3jh26s2zuhigulh5usdsqxfvwxfnrhcbyr7cvn4vb6ogf4dwza._file
Verdict:
unknown
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm evasion persistence pyinstaller rat trojan
Link:
https://tria.ge/reports/240413-wx6gwsaf51/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Creates new service(s)
Stops running service(s)
Detect Xworm Payload
Xworm
Unpacked files
SH256 hash:
1a3693ebd2d668741a8b3f6921ca172d6d72b62710711f8aade543e718bc1db2
MD5 hash:
93b415ddc8d72917ec53b3345d4ecdf1
SHA1 hash:
b4de34ba22fa8a80ab8935a7419b0af09e253786
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/386c4771-8c1e-4c45-ba10-438e524adc9d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a3693ebd2d668741a8b3f6921ca172d6d72b62710711f8aade543e718bc1db2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 1a3693ebd2d668741a8b3f6921ca172d6d72b62710711f8aade543e718bc1db2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2811030/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleCtrlHandler
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments