MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b0298ab4d2bf30c8009cf40297bd5eacdb2b845a28778ab5de1e452fe9209a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b0298ab4d2bf30c8009cf40297bd5eacdb2b845a28778ab5de1e452fe9209a1
SHA3-384 hash: f98b15277379c7e4449a5588057abf6675da04186469bdab571b1e7d5e2274d6ee22ffff31d68b7fde012a6bc191aa59
SHA1 hash: 99430a3b7f678213187e3dc0960bcbd8524eb321
MD5 hash: dcde42495890ea1e359859eb9e6d6fa9
humanhash: moon-johnny-lactose-solar
File name:BootstrapperV3.0.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:195'584 bytes
First seen:2024-09-14 10:51:21 UTC
Last seen:2024-09-14 11:29:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:FTDuN1zyRM+xrabvQzOwBKx1b7Ndo8tiD2E65pnoPH/4hvbeWg2JULyKPykwxxiC:lDu7Oe2ygOsKv74aE21oX4h6oUyBxJ
Threatray 1'139 similar samples on MalwareBazaar
TLSH T19814129D26F143B7D8B90BB24839891643F3BA155CA7C32F519C16A38FA398F4B9407D
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:exe xworm


Avatar
iamaachum
https://download.oxy.st/d/hLdi/

XWorm C2: active-way.gl.at.ply.gg:38198

Intelligence

File Origin
# of uploads :
2
# of downloads :
410
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.65.877.31164.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e56ad32ebf76853bd5c013
Tags:
Execution Generic Stealth Trojan Heur
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/66e56ad35e9303a294219680/reports/a1b75876-c654-47df-acba-0bcab2fe0907/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/3b0298ab4d2bf30c8009cf40297bd5eacdb2b845a28778ab5de1e452fe9209a1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9167f440-ccb8-4ed2-9d09-3e1b4a237b7b
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1511214
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1511214 Sample: BootstrapperV3.0.exe Startdate: 14/09/2024 Architecture: WINDOWS Score: 100 102 active-way.gl.at.ply.gg 2->102 104 18.31.95.13.in-addr.arpa 2->104 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 17 other signatures 2->114 15 BootstrapperV3.0.exe 5 2->15         started        signatures3 process4 file5 94 C:\Users\user\AppData\...\host123exe.exe, PE32 15->94 dropped 96 C:\Users\user\AppData\Local\Temp\bobr2.exe, PE32 15->96 dropped 98 C:\Users\user\AppData\...\XBinderOutput.exe, PE32+ 15->98 dropped 100 C:\Users\user\...\BootstrapperV3.0.exe.log, CSV 15->100 dropped 18 XBinderOutput.exe 4 15->18         started        22 bobr2.exe 6 15->22         started        25 host123exe.exe 5 15->25         started        process6 dnsIp7 84 C:\Users\user\AppData\Local\...\XClient.exe, PE32 18->84 dropped 86 C:\Users\user\AppData\Local\Temp\Solara.exe, PE32+ 18->86 dropped 116 Multi AV Scanner detection for dropped file 18->116 118 Machine Learning detection for dropped file 18->118 27 XClient.exe 5 18->27         started        31 Solara.exe 18->31         started        106 active-way.gl.at.ply.gg 147.185.221.22, 38198, 52842, 52843 SALSGIVERUS United States 22->106 88 C:\ProgramData\Yandex.exe, PE32 22->88 dropped 120 Antivirus detection for dropped file 22->120 122 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->122 124 Protects its processes via BreakOnTermination flag 22->124 126 Bypasses PowerShell execution policy 22->126 33 powershell.exe 22->33         started        90 C:\ProgramData\svchost.exe, PE32 25->90 dropped 128 Adds a directory exclusion to Windows Defender 25->128 130 Drops PE files with benign system names 25->130 35 powershell.exe 25->35         started        file8 signatures9 process10 file11 92 C:\ProgramData\Solara.exe, PE32 27->92 dropped 134 Antivirus detection for dropped file 27->134 136 Multi AV Scanner detection for dropped file 27->136 138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->138 144 2 other signatures 27->144 37 powershell.exe 27->37         started        140 Machine Learning detection for dropped file 31->140 40 Solara.exe 31->40         started        42 XClient.exe 31->42         started        142 Loading BitLocker PowerShell Module 33->142 44 conhost.exe 33->44         started        46 conhost.exe 35->46         started        signatures12 process13 signatures14 132 Loading BitLocker PowerShell Module 37->132 48 conhost.exe 37->48         started        50 Solara.exe 40->50         started        52 XClient.exe 40->52         started        process15 process16 54 Solara.exe 50->54         started        56 XClient.exe 50->56         started        process17 58 Solara.exe 54->58         started        60 Solara.exe 54->60         started        62 XClient.exe 54->62         started        64 XClient.exe 54->64         started        process18 66 Solara.exe 58->66         started        68 XClient.exe 58->68         started        70 Solara.exe 60->70         started        72 XClient.exe 60->72         started        process19 74 Solara.exe 66->74         started        76 XClient.exe 66->76         started        78 Solara.exe 70->78         started        80 XClient.exe 70->80         started        process20 82 XClient.exe 74->82         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3b0298ab4d2bf30c8009cf40297bd5eacdb2b845a28778ab5de1e452fe9209a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b0298ab4d2bf30c8009cf40297bd5eacdb2b845a28778ab5de1e452fe9209a1/
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2024-09-13 19:58:53 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
5
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmbjrk2nfpzqzaajz5acs66v5lg3focfukdxrk254hsff7usbgqq._file
Verdict:
malicious
Similar samples:
098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc
AsyncRAT
366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
AsyncRAT
6da74b01243c098ebe1eef73d8c2459e51b64994590d301a9bd5bd432ea1e831
AsyncRAT
ba61b838a6b159d1d8f6fbbd1c80016fe7277225d1847de9ae50d0d83b29f9f1
AsyncRAT
+ 1'129 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/240914-mydnts1bjb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
127.0.0.1:38198
active-way.gl.at.ply.gg:38198
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bc8ee255-0fe5-40fd-8bcb-18df9f4aa970
Unpacked files
SH256 hash:
feb9b215394c869d1dc94a3374d2e80ae34828bf1ea65f31e56e9ee6f09a9b20
MD5 hash:
32fcb3bdc338aeeb8c361b7e6ce97df4
SHA1 hash:
8b9001742e4b1b0352e3fc5d95b48b8acfe9d645
Link:
https://www.unpac.me/results/906adf1e-5f8b-4cc4-b355-ac1c583754d9/
SH256 hash:
b5cc85c245f92044f8c79d7c94d3fcb4763be8a1d339d580a4e47540f7a1fd97
MD5 hash:
4af398a46d4bd09811ced324ba8cc22c
SHA1 hash:
458264f284969210c1128bac89dbf06ac48ad85d
Link:
https://www.unpac.me/results/906adf1e-5f8b-4cc4-b355-ac1c583754d9/
SH256 hash:
57ebb667e827dacccc919e415eb6c576e8f485ebbe190fe95f99297e341792d6
MD5 hash:
ca43dbf2d2597698196930e40f8d4fb9
SHA1 hash:
06873345e8aee2d65bf6a159b8b8f3eaa0df6de5
Link:
https://www.unpac.me/results/906adf1e-5f8b-4cc4-b355-ac1c583754d9/
SH256 hash:
ce9806f513a2bf98353ec746f13036809ee6dc99b48b3b69045eca583afd9616
MD5 hash:
3c2179f884ad86734144b268727b1062
SHA1 hash:
fdccecf7243a1f21c2f85dacc0af491f704f950a
Detections:
win_xworm_w0
Create hunting rule
Link:
https://www.unpac.me/results/906adf1e-5f8b-4cc4-b355-ac1c583754d9/
SH256 hash:
4d952b8c07b1c1c2c10fb56ac39693e0ed3202ea59fc3d04ac9482126e49b645
MD5 hash:
6f7394529838f9e96294d0140de415cd
SHA1 hash:
8691ee6fce8f5945c8608606c1dcace4b16193d2
Detections:
win_xworm_w0
Create hunting rule
Link:
https://www.unpac.me/results/906adf1e-5f8b-4cc4-b355-ac1c583754d9/
SH256 hash:
ab2e826a7160490a573ee2b95325f38e7f0469aeb8e1fecf8e1f737bc04a2fa6
MD5 hash:
1c84f30be210e3fd83f85d109aa1e4ad
SHA1 hash:
923a649dd3aa15609b7791ec9e03e2c3d8f8c35c
Detections:
win_xworm_w0
Create hunting rule
Link:
https://www.unpac.me/results/906adf1e-5f8b-4cc4-b355-ac1c583754d9/
SH256 hash:
3b0298ab4d2bf30c8009cf40297bd5eacdb2b845a28778ab5de1e452fe9209a1
MD5 hash:
dcde42495890ea1e359859eb9e6d6fa9
SHA1 hash:
99430a3b7f678213187e3dc0960bcbd8524eb321
Link:
https://www.unpac.me/results/906adf1e-5f8b-4cc4-b355-ac1c583754d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
XWorm
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b0298ab4d2bf30c8009cf40297bd5eacdb2b845a28778ab5de1e452fe9209a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 3b0298ab4d2bf30c8009cf40297bd5eacdb2b845a28778ab5de1e452fe9209a1

(this sample)

  
Link
https://tria.ge/240914-ms3qrszcqp
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments