MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803
SHA3-384 hash: 8c2e38668ea3be4a9c2ed822f45d8125dd2e4fc0ec3cf1f50c49aa8743aa788105af9d09f3af16c1a56f964b78624008
SHA1 hash: cf71024bf28f10f63bf7cd27dba64d406c2ed97c
MD5 hash: a4c1ea4b6e69e69462efa7659ff6f48c
humanhash: india-ten-sixteen-bacon
File name:cry.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'317'888 bytes
First seen:2024-11-04 18:03:59 UTC
Last seen:2024-11-04 19:19:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:/84F/cDq4sTq+gdI2W+7nMS9LJf4bcwGCYVgERFh7IfEx0ECnaf:kEcyjgmkMS9L2cFCER0f+0ECna
Threatray 1'680 similar samples on MalwareBazaar
TLSH T1FE55C013BA974DA1E34B6737C6EB50040BB4D981622BDB1FB8AE1399F9037B65840737
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter _kphi
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
429
Origin country :
IN IN
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-04 18:02:14 UTC
Tags:
remote xworm rat asyncrat github purecrypter netreactor purehvnc
Link:
https://app.any.run/tasks/9de09bdb-8905-4180-90a9-ec8855885770

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.LRM.gen.Eldorado.26355.3483.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67290c968d23d90491336cf9
Tags:
autorun extens virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
net_reactor packed packed packer_detected
Link:
https://www.filescan.io/uploads/67290c9c71d9bf499cf93a30/reports/036f7d29-34fd-469a-8d2a-fbfe9874b722/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a1c226d-d8a7-49f9-9f86-5ead90fe5345
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1548704
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dk5thoebicfqgqnfgdpbjmfp3oels3742asu3u4xqsg3hzsqrabq._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
sorano
Create hunting rule
xworm
Create hunting rule
Similar samples:
1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803
AsyncRAT
3fa4ae4ae197fa29bb3b99af1b7b786fc125d4d6248e2198570332c67c120a53
AsyncRAT
6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9
AsyncRAT
854a1805c4f017a39d6017fcfbabeacf68918e95419c8d73108a090a1bb08202
AsyncRAT
e8a17341b844a888c477555c2ea2c4db69632030a230e74edaa096cf5402b623
AsyncRAT
error
AsyncRAT
f4deeaeaf6a4173c46ef5df50139cd54d144dc0cc0d685b2717c1590cc8b1b1b
AsyncRAT
+ 1'670 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm credential_access discovery execution persistence rat stealer trojan
Link:
https://tria.ge/reports/241104-wnkttsxkgk/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Uses browser remote debugging
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Xworm family
Malware Config
C2 Extraction:
127.0.0.1:8895
162.230.48.189:8895
Verdict:
Malicious
Tags:
xworm asyncrat xworm
YARA:
n/a
Link:
https://app.threat.zone/submission/dc15e12d-eca0-4283-be90-8453e7a2a8b3
Unpacked files
SH256 hash:
f13de94faf7544d6b9b66fa04978e3ba90adf79d606c61180d74f63c51143b1b
MD5 hash:
5128c63b79c66f89e63e6e1b2d97324f
SHA1 hash:
6515f5122eb6687dccc7bd67679476ee48286540
Link:
https://www.unpac.me/results/9b6b5d20-8218-4840-bd40-97e8074a7115/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/9b6b5d20-8218-4840-bd40-97e8074a7115/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/9b6b5d20-8218-4840-bd40-97e8074a7115/
SH256 hash:
0cd2dee30617586dbee61fa7558be40c9698d22608ae9d5e07faa2617a55a5a1
MD5 hash:
3739ee146d7df97807a29cf16c2e8880
SHA1 hash:
308370366ca4e7aa85f9c10030bfa6fcc84dc0ea
Detections:
XWorm
Create hunting rule
win_xworm_w0
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/9b6b5d20-8218-4840-bd40-97e8074a7115/
SH256 hash:
d0084e36daae29ca9d2ecab5d42e236d59b7951dc1f43f3aebe9127e0bcd16c7
MD5 hash:
58d723d4c8760e50f25fc97ff634b416
SHA1 hash:
124941e907ecb518442333710e8ad9270f03af06
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9b6b5d20-8218-4840-bd40-97e8074a7115/
SH256 hash:
1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803
MD5 hash:
a4c1ea4b6e69e69462efa7659ff6f48c
SHA1 hash:
cf71024bf28f10f63bf7cd27dba64d406c2ed97c
Link:
https://www.unpac.me/results/9b6b5d20-8218-4840-bd40-97e8074a7115/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1abb33b88140/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9

AsyncRAT

Executable exe 1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803

(this sample)

  
Link
https://www.virustotal.com/gui/file/1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803
  
Dropped by
SHA256 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9
  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/3275775/
  
URLhaus
https://urlhaus.abuse.ch/url/3275856/
  
Dropped by
MD5 acfdf588da4f3d02f8b4e6db8cc9e60d

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments