MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 395bc9b22f40aae715b4a82839da2e9ac0715d2c644eccb2885a2332789ca4db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 8 File information Comments

SHA256 hash:	395bc9b22f40aae715b4a82839da2e9ac0715d2c644eccb2885a2332789ca4db
SHA3-384 hash:	207770c12f47eaee8eb586dfd1b51acb8e0697c14a9d5c496507f00ad8d5b52ff7c640cb0dfa3fe5e22de98a0e5ec236
SHA1 hash:	e8f9c1298fdf546f06a00942e72d1fdb8fed2d3f
MD5 hash:	3b6d0af38f1db77037b69a8546332110
humanhash:	eight-lamp-mountain-hamper
File name:	xnLQfmYu7SYa.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	31'232 bytes
First seen:	2024-01-28 23:19:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	384:r7wTA+5OfPgEBQqWvfcQLZe3s80hYACSqRN9PD42uRugtFuBLTIOZw/WVnvn9Ik5:rrgECfLH8MYAoRN9M2uBFE9RWOqhXbS
Threatray	236 similar samples on MalwareBazaar
TLSH	T1C9E24B483BE48327D6FE2FF229B6910102759507D923EF5F5CD885AB6F67B8142013EA
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	pmelson
Tags:	AsyncRAT exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

343

Origin country :

Vendor Threat Intelligence

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/473308/

Detection(s):

Win.Packed.njRAT-10002074-1

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL

ditekSHen.MALWARE.Win.XWorm.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Query of malicious DNS domain

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm

Link:

https://www.filescan.io/uploads/65b6e123814c2aeb14831a3b/reports/5cf0b80b-cbd2-4ac6-a490-89155762c746/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/395bc9b22f40aae715b4a82839da2e9ac0715d2c644eccb2885a2332789ca4db

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9593a849-4aa5-4a85-8d40-e1f6f51d70cc

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1382383

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/395bc9b22f40aae715b4a82839da2e9ac0715d2c644eccb2885a2332789ca4db

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/395bc9b22f40aae715b4a82839da2e9ac0715d2c644eccb2885a2332789ca4db/

Threat name:

ByteCode-MSIL.Backdoor.XWorm

Status:

Malicious

First seen:

2024-01-28 23:20:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hfn4tmrpicvoofnuvaudtwrotlahcxjmmrhmzmuilirte6e4utnq._file

Verdict:

malicious

AsyncRAT

575beebf842e93360ca595466fa746178421d969bba68868f0900f14769a1a32

AsyncRAT

6662f435fa321518a34737f933a3dc07a412a575849f48f4e05c325a60a94f65

AsyncRAT

6c677c1c6aa698d8886acbc085f0140f9574f3aa22e56392d8453fea2f1b2ac5

AsyncRAT

83b91f098157b5ba0147972c1d5c4d751d66fc59d7645e2e643ce863101f6d52

AsyncRAT

b46dbf808c2ebb31c7c25f239f2d0eda5a4474341940e3fdb15d92ba945bf1a4

AsyncRAT

cf6803e262a70ac75b085d41b2e50567f1c8dfee0e879c5b1dc450b966709218

AsyncRAT

+ 226 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm rat trojan

Link:

https://tria.ge/reports/240128-3bdy3seaeq/

Behaviour

Suspicious use of AdjustPrivilegeToken

Legitimate hosting services abused for malware hosting/C2

Detect Xworm Payload

Xworm

Malware Config

C2 Extraction:

0.tcp.sa.ngrok.io:10858

Unpacked files

SH256 hash:

395bc9b22f40aae715b4a82839da2e9ac0715d2c644eccb2885a2332789ca4db

MD5 hash:

3b6d0af38f1db77037b69a8546332110

SHA1 hash:

e8f9c1298fdf546f06a00942e72d1fdb8fed2d3f

Detections:

XWorm

MALWARE_Win_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

Link:

https://www.unpac.me/results/a0237c1b-57e1-4872-8837-73a0513fae37/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AsyncRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/395bc9b22f40aae715b4a82839da2e9ac0715d2c644eccb2885a2332789ca4db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

exe 395bc9b22f40aae715b4a82839da2e9ac0715d2c644eccb2885a2332789ca4db

(this sample)

Link

https://www.virustotal.com/gui/file/395bc9b22f40aae715b4a82839da2e9ac0715d2c644eccb2885a2332789ca4db/detection

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/473308/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample