MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47f163032b408314516aae096abd13d1b4151925d3c4f7bd5a93468ceaaa3c92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 24 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47f163032b408314516aae096abd13d1b4151925d3c4f7bd5a93468ceaaa3c92
SHA3-384 hash: f435ead2c5ab415d37f761b73cb664eb099cb881d5a4ac05e5dc9c22a09d3fae10717656204fa948e55890dd6ecf81ca
SHA1 hash: ae8cc1bdeb13bd28864c7d2c9d0d3bdddce3f7b5
MD5 hash: 9c5ac5e990d6d7f9b7075e57d3ba57ed
humanhash: colorado-michigan-saturn-victor
File name:9c5ac5e990d6d7f9b7075e57d3ba57ed
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'058'752 bytes
First seen:2023-12-07 04:54:04 UTC
Last seen:2023-12-07 06:15:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f2f006e2ecf7172ad368f8289dc96c1 (40 x LummaStealer, 20 x SalatStealer, 17 x CobaltStrike)
ssdeep 24576:YnQSlmLyuBiGoPBzVb8WHp/5xWIJpfG7Y6RFkme4RCVUbdQQxYFW1jJtmP4aOMUv:YnNsQJ6RhYW1jmwyW
Threatray 4 similar samples on MalwareBazaar
TLSH T10D953900FD8BE0F2EA43593145E6F2BF1730AD154F36CA97EA84766EE5763D6083A205
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ba63ca9a30756c8c (1 x SideWinder, 1 x AsyncRAT)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
343
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9c5ac5e990d6d7f9b7075e57d3ba57ed
Verdict:
Malicious activity
Analysis date:
2023-12-07 04:55:18 UTC
Tags:
xworm
Link:
https://app.any.run/tasks/4a794141-f6b0-400b-a016-b48d48742bbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/463097/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.5887.26628.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control go golang lolbin monero
Link:
https://www.filescan.io/uploads/657150288b5ba47db2d5da9f/reports/e80213e7-04c7-4f2b-87ec-c370b27a5615/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/47f163032b408314516aae096abd13d1b4151925d3c4f7bd5a93468ceaaa3c92
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0125d9b4-6de9-44d9-9776-d4caf2cf9751
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1355154
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1355154 Sample: mE361bPBAD.exe Startdate: 07/12/2023 Architecture: WINDOWS Score: 100 21 testarosa.duckdns.org 2->21 23 fp2e7a.wpc.phicdn.net 2->23 25 fp2e7a.wpc.2be4.phicdn.net 2->25 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 37 4 other signatures 2->37 7 mE361bPBAD.exe 1 1 2->7         started        10 SpeechRun.exe 2->10         started        12 SpeechRun.exe 2->12         started        signatures3 35 Uses dynamic DNS services 21->35 process4 signatures5 39 Writes to foreign memory regions 7->39 41 Allocates memory in foreign processes 7->41 43 Injects a PE file into a foreign processes 7->43 14 MSBuild.exe 2 7->14         started        17 MSBuild.exe 10->17         started        19 MSBuild.exe 1 12->19         started        process6 dnsIp7 27 testarosa.duckdns.org 141.255.150.69, 7125 IELOIELOMainNetworkFR France 14->27
Score:
76%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/47f163032b408314516aae096abd13d1b4151925d3c4f7bd5a93468ceaaa3c92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47f163032b408314516aae096abd13d1b4151925d3c4f7bd5a93468ceaaa3c92/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 15:43:03 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i7ywgazlicbriulkvyewvpit2g2bkgjf2pcpppk2sndiz2vkhsja._file
Verdict:
malicious
Similar samples:
be61122201a9f34c205cc0b73d1fa2ef6bab71badd22681a315f037da364bed2
AsyncRAT
ff95e6d148e53e60b113f05bb54557315ec9b8af82adfaa276a21fbc561a9b77
AsyncRAT
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm persistence rat trojan
Link:
https://tria.ge/reports/231207-fj44xahdbj/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
testarosa.duckdns.org:7125
Unpacked files
SH256 hash:
5473b81e2e7d08424f3e14fa5c0dbb42905c318847ad49866a8e85e410ee8264
MD5 hash:
437e9be2817fd716a37b979cd5fc3fbe
SHA1 hash:
93bc11d32b722d8877623ec6630e3c62b690f307
Detections:
XWorm
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/f56cdc83-6187-48f4-a685-2bf0e8b7127a/
Parent samples :
47f163032b408314516aae096abd13d1b4151925d3c4f7bd5a93468ceaaa3c92
c8203b65cbe192900b3df58322bb04baf2f18a6aae04357194a4903119121cb0
SH256 hash:
47f163032b408314516aae096abd13d1b4151925d3c4f7bd5a93468ceaaa3c92
MD5 hash:
9c5ac5e990d6d7f9b7075e57d3ba57ed
SHA1 hash:
ae8cc1bdeb13bd28864c7d2c9d0d3bdddce3f7b5
Link:
https://www.unpac.me/results/f56cdc83-6187-48f4-a685-2bf0e8b7127a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/47f163032b40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47f163032b408314516aae096abd13d1b4151925d3c4f7bd5a93468ceaaa3c92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_delivery_check_g0
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 47f163032b408314516aae096abd13d1b4151925d3c4f7bd5a93468ceaaa3c92

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/463097/
  
URLhaus
https://urlhaus.abuse.ch/url/2738265/

Comments


Avatar
zbet commented on 2023-12-07 04:54:05 UTC

url : hxxp://185.196.8.238/SpeechRun.exe