MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137
SHA3-384 hash: 7945eb6bcaa51b2f9c45c4e9b85f87589d1774b72a62b4351b9b5cfbe5d715150ba93bdd122d746fdf1e1938f4a946a0
SHA1 hash: de043868063b6bf974fcadba147d780f072f1840
MD5 hash: 7f23b18896c52fa40ad0d9b388e6e951
humanhash: washington-papa-fillet-london
File name:shared.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:241'664 bytes
First seen:2024-05-16 09:53:06 UTC
Last seen:2024-05-16 10:21:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:+nnz3hg6HD2AY3ryCDP7h77StH2BLlr/a:+nz3hjQuA7t7StWBLl
TLSH T1CC3412826FDF6876DF3222BC8388E7914349497256A6C3AF183105C77EEA3F940954B3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter NDA0E
Tags:AsyncRAT exe xworm


Avatar
NDA0E
http://157.254.165.243/xw/shared.exe

XWorm C2: dvaverif.ru:7000 (157.254.165.243:7000)

Intelligence

File Origin
# of uploads :
2
# of downloads :
365
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://157.254.165.243/xw/shared.exe
Verdict:
Malicious activity
Analysis date:
2024-05-16 09:37:33 UTC
Tags:
xworm
Link:
https://app.any.run/tasks/ac09882f-2a96-428e-bcbd-207d03d77fd6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
DNS request
Connection attempt
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
MSILPerseus.Generic
Link:
https://www.hybrid-analysis.com/sample/4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b8ffc59-9cbc-47cf-9fa8-25746d349865
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1442530
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1442530 Sample: shared.exe Startdate: 16/05/2024 Architecture: WINDOWS Score: 100 25 dvaverif.ru 2->25 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus detection for URL or domain 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 8 other signatures 2->35 8 shared.exe 3 2->8         started        signatures3 process4 dnsIp5 27 dvaverif.ru 157.254.165.243, 7000 BEANFIELDCA United States 8->27 37 Bypasses PowerShell execution policy 8->37 39 Adds a directory exclusion to Windows Defender 8->39 12 powershell.exe 23 8->12         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        19 WerFault.exe 2 8->19         started        signatures6 process7 signatures8 41 Loading BitLocker PowerShell Module 12->41 21 conhost.exe 12->21         started        23 conhost.exe 15->23         started        process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2024-05-16 08:21:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfj5ndlix4jxifzsdo74hnzap3tlf2vqzfqax2el3u2qdfq6ue3q._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/240516-lw7nfsfa2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Unpacked files
SH256 hash:
9d4cba03e1bbce45cc1bc70e5502b0bf892968d7fb8e43a8fc703c6e29c0711f
MD5 hash:
f68e07395ca94b3b02a8b7a15340a3c7
SHA1 hash:
ef42fd901a82765c29eb0244af603579c0f63db1
Link:
https://www.unpac.me/results/bd2ddaa5-7e54-4992-adf0-5c815cbf08b4/
SH256 hash:
0e9be6b2c150849883ed4fa481b7211c7400f4bb298748430ac9505dc48392a4
MD5 hash:
9df97252d2e042f6af8fc8c537acc6bf
SHA1 hash:
2603a7004c6022f83a55020a3fe3218d970e6c57
Detections:
XWorm
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/bd2ddaa5-7e54-4992-adf0-5c815cbf08b4/
SH256 hash:
4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137
MD5 hash:
7f23b18896c52fa40ad0d9b388e6e951
SHA1 hash:
de043868063b6bf974fcadba147d780f072f1840
Detections:
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/bd2ddaa5-7e54-4992-adf0-5c815cbf08b4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4953d68d68bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

Shortcut (lnk) lnk 3488fe12c3493039d9eddabf5fb04bf9bb3a54bcd591ab911857b602c85f2e66

AsyncRAT

Executable exe 4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137

(this sample)

  
X
https://twitter.com/NDA0E/status/1791039909672652935
  
Dropped by
SHA256 3488fe12c3493039d9eddabf5fb04bf9bb3a54bcd591ab911857b602c85f2e66
  
Dropped by
SHA256 4b056176eff38ea62624a06c424eb2ff021a616c884295d4b79366c1dc2aa066
  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2851636/
  
URLhaus
https://urlhaus.abuse.ch/url/2851635/
  
Dropped by
MD5 a8d941db4a8f2301c661abff9d0121fa
  
Dropped by
MD5 634eb9320cb4f68904ae3b1a7f79e618

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
Kasibe commented on 2024-05-17 10:53:34 UTC

Xworm