MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
SHA3-384 hash: 040457c34965554abe0f94deba4584bcd00f3a1dbe8168a6fa57fea8acf794acaadaf4be3ec43004066625f06ba2b8c8
SHA1 hash: f96f403087bb1ad5483bc68a5a3db8a1ca833f4e
MD5 hash: ccfa4401df6dcaef4265f5edd06f3fde
humanhash: bluebird-nine-summer-pluto
File name:Nursultan.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:920'064 bytes
First seen:2024-09-06 23:45:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:9tZhUkDINlUj3HMcggFUnCwCjsiD5udn3:9tZySIUj3HDgyUCrjsi
Threatray 65 similar samples on MalwareBazaar
TLSH T16515337E03DD8700D44E1D3863B74D1361A76A92B03EA38CBB4825CE1BAD6678DDB14B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 70e8e8f0d89ad878 (1 x XWorm, 1 x BlankGrabber, 1 x AsyncRAT)
Reporter adm1n_usa32
Tags:AsyncRAT exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
659
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Nursultan.exe
Verdict:
Malicious activity
Analysis date:
2024-09-06 23:44:51 UTC
Tags:
evasion xworm remote
Link:
https://app.any.run/tasks/d1005904-c8d9-43a0-b463-f039cff19a53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop21.55508.30918.13612.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66db943d8e12b8124ac969a7
Tags:
Discovery Execution Network Other Stealth Trojan Dropper
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Reading critical registry keys
DNS request
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Connection attempt
Sending an HTTP GET request
Launching cmd.exe command interpreter
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Creating a window
Enabling the 'hidden' option for files in the %temp% directory
Unauthorized injection to a recently created process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
exploit overlay packed vbnet
Link:
https://www.filescan.io/uploads/66db943bc6168b0c1c97eb87/reports/094024db-a0cd-4fc0-a37b-dbd04e3abd9f/overview
Verdict:
Malicious
Labled as:
MSIL.Packy.Generic
Link:
https://www.hybrid-analysis.com/sample/366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f93c3aca-912e-4c09-9512-24233f8de82c
Result
Threat name:
44Caliber Stealer, BlackGuard, Blank Gra
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1505919
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Yara detected 44Caliber Stealer
Yara detected BlackGuard
Yara detected Blank Grabber
Yara detected Generic Downloader
Yara detected Rags Stealer
Yara detected Umbral Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1505919 Sample: Nursultan.exe Startdate: 07/09/2024 Architecture: WINDOWS Score: 100 147 freegeoip.app 2->147 149 stage-von.gl.at.ply.gg 2->149 151 3 other IPs or domains 2->151 163 Suricata IDS alerts for network traffic 2->163 165 Found malware configuration 2->165 167 Malicious sample detected (through community Yara rule) 2->167 171 28 other signatures 2->171 14 Nursultan.exe 4 2->14         started        signatures3 169 Tries to detect the country of the analysis system (by using the IP) 147->169 process4 file5 141 C:\Users\user\AppData\Local\...141ursultan.exe, PE32 14->141 dropped 143 C:\Users\user\AppData\...\Microsoft Edge.exe, PE32 14->143 dropped 145 C:\Users\user\AppData\...145ursultan.exe.log, CSV 14->145 dropped 219 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->219 18 Nursultan.exe 2 14->18         started        22 Microsoft Edge.exe 15 6 14->22         started        25 Conhost.exe 14->25         started        signatures6 process7 dnsIp8 129 C:\Users\user\AppData\...129ursultan2.exe, PE32 18->129 dropped 173 Antivirus detection for dropped file 18->173 175 Multi AV Scanner detection for dropped file 18->175 177 Machine Learning detection for dropped file 18->177 27 Nursultan2.exe 5 18->27         started        31 Nursultan.exe 1 18->31         started        159 ip-api.com 208.95.112.1, 49704, 49708, 49731 TUT-ASUS United States 22->159 161 stage-von.gl.at.ply.gg 147.185.221.22, 19496, 49728, 49733 SALSGIVERUS United States 22->161 131 C:\Users\user\AppData\...\Microsoft Edge, PE32 22->131 dropped 179 Protects its processes via BreakOnTermination flag 22->179 181 Adds a directory exclusion to Windows Defender 22->181 33 powershell.exe 22->33         started        file9 signatures10 process11 file12 137 C:\Users\user\AppData\Local\Temp\Umbral.exe, PE32 27->137 dropped 139 C:\Users\user\AppData\Local\...\Insidious.exe, PE32 27->139 dropped 205 Antivirus detection for dropped file 27->205 207 Multi AV Scanner detection for dropped file 27->207 209 Machine Learning detection for dropped file 27->209 211 Found many strings related to Crypto-Wallets (likely being stolen) 27->211 35 Umbral.exe 27->35         started        40 Insidious.exe 27->40         started        42 cmd.exe 27->42         started        44 Microsoft Edge.exe 27->44         started        46 Nursultan.exe 31->46         started        48 Nursultan2.exe 31->48         started        213 Loading BitLocker PowerShell Module 33->213 50 conhost.exe 33->50         started        signatures13 process14 dnsIp15 153 discord.com 162.159.135.232, 443, 49732, 49738 CLOUDFLARENETUS United States 35->153 133 C:\ProgramData\Microsoft\...\uOWQK.scr, PE32 35->133 dropped 135 C:\Windows\System32\drivers\etc\hosts, ASCII 35->135 dropped 187 Antivirus detection for dropped file 35->187 189 Multi AV Scanner detection for dropped file 35->189 191 Machine Learning detection for dropped file 35->191 203 5 other signatures 35->203 52 powershell.exe 35->52         started        55 WMIC.exe 35->55         started        65 2 other processes 35->65 155 freegeoip.app 188.114.97.3, 443, 49705, 49715 CLOUDFLARENETUS European Union 40->155 157 ipbase.com 104.21.85.189, 443, 49707, 49716 CLOUDFLARENETUS United States 40->157 193 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->193 195 Found many strings related to Crypto-Wallets (likely being stolen) 40->195 197 Tries to harvest and steal browser information (history, passwords, etc) 40->197 199 Tries to steal Crypto Currency Wallets 40->199 201 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 42->201 57 cmd.exe 42->57         started        67 4 other processes 42->67 59 Nursultan.exe 46->59         started        61 Nursultan2.exe 46->61         started        63 cmd.exe 48->63         started        69 4 other processes 48->69 file16 signatures17 process18 signatures19 183 Loading BitLocker PowerShell Module 52->183 71 conhost.exe 52->71         started        73 conhost.exe 55->73         started        82 2 other processes 57->82 75 Nursultan2.exe 59->75         started        84 2 other processes 59->84 77 cmd.exe 61->77         started        86 3 other processes 61->86 185 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 63->185 88 5 other processes 63->88 80 conhost.exe 65->80         started        process20 signatures21 90 Conhost.exe 71->90         started        92 cmd.exe 75->92         started        103 3 other processes 75->103 217 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 77->217 95 cmd.exe 77->95         started        105 3 other processes 77->105 97 Nursultan2.exe 84->97         started        99 Nursultan.exe 84->99         started        101 cmd.exe 88->101         started        107 2 other processes 88->107 process22 signatures23 215 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 92->215 109 cmd.exe 92->109         started        111 conhost.exe 92->111         started        113 chcp.com 92->113         started        115 timeout.exe 92->115         started        117 cmd.exe 95->117         started        119 cmd.exe 95->119         started        121 cmd.exe 97->121         started        123 Conhost.exe 99->123         started        process24 process25 125 cmd.exe 109->125         started        127 cmd.exe 109->127         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4/
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2024-09-06 23:46:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzxqquagssts3f5bnl72qae7b74i3bmya6t5ftevgowknv6e7l2a._file
Verdict:
malicious
Similar samples:
518f22ac3dfb39779d6b21fdd230b71db39453f73b42f411009a0afe7dbbe818
AsyncRAT
91c5051a0acc3b7f63b5b33abd6e325dc516665eb06a883b4e03a25873b4fe39
AsyncRAT
af0c48ca1ed3431b936d489bf1e8255a5d4182bd6164946bd6179ae3f212d0b1
AsyncRAT
e009fee742f6dd1d2c9fc0e840dbeeca1a705a13c2667bf09daf216c60411e89
AsyncRAT
+ 55 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution persistence rat trojan
Link:
https://tria.ge/reports/240906-3r92fstgph/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
stage-von.gl.at.ply.gg:19496
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/19782ffc-9721-4673-94cb-e8d8f4a8e0b0
Unpacked files
SH256 hash:
dfcf3ed114355b554d2a3814946029c2688c4f617959b69375ed730250b9e9b1
MD5 hash:
c2a5cd7c5f8a633bafb54b62cee38077
SHA1 hash:
033474beffb4c91158bd208eb80b39c0a26f6b2d
Detections:
XWorm
Create hunting rule
win_xworm_w0
Create hunting rule
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
SH256 hash:
4d3a9636e9d29f227b56d7bf140154384e1f426b69cf213ae46115e8d966aa92
MD5 hash:
df69e1468a4656f2eec526de59a89a8b
SHA1 hash:
e65e192be57cd672b8ef19cd72ad89cbd3f8f60a
Detections:
UmbralStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
Create hunting rule
MALWARE_Win_UmbralStealer
Create hunting rule
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
SH256 hash:
3cf9d10fb9434a9c83d0fb65401e65b11fa643264ff17b5a9d75022e5d41ae29
MD5 hash:
b70c03532081c928f946e844c5d2172d
SHA1 hash:
7908b1d1e9ab5e222faa6c816dd861382aa4a5c5
Detections:
fortyfourcaliber_stealer
Create hunting rule
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
SH256 hash:
85346da22eb47ca404caa7acc61adda05e4ecb92a99f7f9996e04aa845d94e67
MD5 hash:
61b2cc02888da42c4332c812884d8667
SHA1 hash:
79fb9d18ef4e67579e606de955b495d5e5f93474
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
SH256 hash:
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
MD5 hash:
16e5a492c9c6ae34c59683be9c51fa31
SHA1 hash:
97031b41f5c56f371c28ae0d62a2df7d585adaba
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
SH256 hash:
738c2f09d5ab56751bd47c492a743208291dc7ce128b7f0eacfcc9eedf97c786
MD5 hash:
0ba8218f991e81620f31083273ee7d91
SHA1 hash:
980539589b8bba6e619c836436d8c5ba8aebd18a
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
SH256 hash:
a0ef7e6bd1d8e6d2a39bb1a7a5956f647104d68ccc680ada87f5cc6883aa77d6
MD5 hash:
5f9d87682292e2926a3afe6a9ad63ca9
SHA1 hash:
618564b939996bdb07ce077c6c3131072691aa84
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
SH256 hash:
4c9980b653343c08d0162d2d8a6f6488bd2ca34a5fcd14762670b872315d39c6
MD5 hash:
a99954bff017983bf455de31c5f0696a
SHA1 hash:
6302c232c1dd4da3b0a013b95f94f7619b354d0a
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
SH256 hash:
9ef42efb4773c2b76f2de20064a20ab8e14b7f21e554e75f2cd95b44158cf887
MD5 hash:
3dcfe81a40c52aa75e80988e3f07752f
SHA1 hash:
8d323de014924c5ee2d01ebaa0e2e8ae37d8c61e
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
SH256 hash:
0965754facf336439942304640726a00e58cb13011068321ec294b6e47539b3c
MD5 hash:
042245c954c4d28a65edab4a41b90237
SHA1 hash:
f40abd3c95ce7b1c2a4433568ec1f24380a3c061
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
SH256 hash:
366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
MD5 hash:
ccfa4401df6dcaef4265f5edd06f3fde
SHA1 hash:
f96f403087bb1ad5483bc68a5a3db8a1ca833f4e
Link:
https://www.unpac.me/results/c9888fe3-ba9b-418a-b147-1335a8918c0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments