MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
SHA3-384 hash: ed74849ef6a86628ac5638abbb91228847ed3d0d65508748fc20f9b167d4dc6db5b829b96be71793be749339a629bddf
SHA1 hash: 845b9220d3cebd020193bf6328f51076c9aebcbd
MD5 hash: 5a766fb66446e2c4d436167ef0944eb1
humanhash: carbon-maine-leopard-ack
File name:Launcher.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:8'014'963 bytes
First seen:2025-09-17 14:45:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d17be67c8d0394c5c1b8e725359ed89 (5 x Adware.Generic, 4 x njrat, 3 x NanoCore)
ssdeep 196608:uWAeGDVKsgnMV7sZlqrdXUVp5eTM0mnTU3Xp:uW6D8tMV7sZcZXUofmnTw5
Threatray 1 similar samples on MalwareBazaar
TLSH T119863390D341BD01CEAAF4B45932E6BD62831F0E07C3DE891ACD4E2BBD525661F991EC
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10522/11/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter burger
Tags:AsyncRAT DestinyStealer exe xworm ZeroTraceStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.241.132.125:4242 https://threatfox.abuse.ch/ioc/1593416/

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
Launcher.exe
Verdict:
Malicious activity
Analysis date:
2025-09-17 14:40:36 UTC
Tags:
rat asyncrat remote stealer ims-api generic xworm api-base64 crypto-regex zerotrace stormkitty
Link:
https://app.any.run/tasks/1e448534-56b1-4f73-adcb-dc73edd0cb44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27950/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cac9b42432032546472b65
Tags:
infosteal asyncrat autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Connection attempt
Adding an access-denied ACE
Sending a custom TCP request
Creating a file in the %AppData% directory
Reading critical registry keys
Changing a file
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Forced shutdown of a system process
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/68cac9acdbc6f5a29c49edd9/reports/aaddf73a-cd97-4b55-b019-8142b7a847dc/overview
Verdict:
Malicious
Labled as:
Doina.Generic
Link:
https://www.hybrid-analysis.com/sample/53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-17T11:42:00Z UTC
Last seen:
2025-09-17T11:42:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Miner.a PDM:Trojan.Win32.Generic Trojan.Win32.Vimditator.sb HEUR:Trojan.Win32.Generic HEUR:Exploit.MSIL.BypassUAC.c Backdoor.MSIL.XWorm.b Backdoor.MSIL.Crysan.c Trojan-PSW.MSIL.Stealer.a HEUR:Trojan-PSW.MSIL.Stealer.gen HEUR:Backdoor.MSIL.SheetRat.gen Backdoor.MSIL.Darkrat.sb HEUR:HackTool.MSIL.EtwHook.gen HEUR:Backdoor.MSIL.XClient.b Exploit.Win32.BypassUAC.sb Backdoor.MSIL.Crysan.sb PDM:Trojan.Win32.Tasker.cust Trojan-PSW.Win32.Greedy.sb Trojan-PSW.MSIL.Stealerium.sb Trojan.MSIL.DInvoke.sb HEUR:Backdoor.MSIL.XWorm.gen Trojan-Banker.MSIL.ClipBanker.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Agent.gen Backdoor.MSIL.VenomRAT.a Trojan-PSW.MSIL.Agent.sb Trojan.Miner.HTTP.ServerRequest Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.DiscoStealer.sb Trojan.Win32.Agent.sb Backdoor.MSIL.XWorm.a Trojan.PowerShell.Agent.sb Trojan-Dropper.Win32.Dapato.sb Trojan-Dropper.Win32.Injector.sb Trojan-Banker.Win32.Express.sb Trojan.MSIL.Agent.sb not-a-virus:PSWTool.MSIL.BroPass.sb VHO:Backdoor.MSIL.Crysan.gen VHO:Backdoor.MSIL.SpyGate.gen
Link:
https://opentip.kaspersky.com/53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9/results?tab=lookup
Malware family:
Stealerium Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66443652-9bb3-47ab-9a1d-8ecfd822229b
Result
Threat name:
Destiny Stealer, KeyLogger, StormKitty,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779366
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BrowserPasswordDump
Yara detected BrowsingHistoryView browser history reader tool
Yara detected Destiny Stealer
Yara detected Keylogger Generic
Yara detected StormKitty Stealer
Yara detected Telegram Recon
Yara detected VenomRAT
Yara detected WebBrowserPassView password recovery tool
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779366 Sample: Launcher.exe Startdate: 17/09/2025 Architecture: WINDOWS Score: 100 94 api.telegram.org 2->94 96 aiopal.giize.com 2->96 98 34 other IPs or domains 2->98 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 116 35 other signatures 2->116 10 Launcher.exe 10 2->10         started        14 explorcr.exe 2->14         started        16 System Properties.exe 2->16         started        18 3 other processes 2->18 signatures3 114 Uses the Telegram API (likely for C&C communication) 94->114 process4 file5 84 C:\Users\user\AppData\Local\...\Launcher.exe, PE32 10->84 dropped 86 C:\Users\user\AppData\Local\Temp\Build.exe, PE32 10->86 dropped 128 Found many strings related to Crypto-Wallets (likely being stolen) 10->128 20 Build.exe 14 26 10->20         started        25 Launcher.exe 11 10->25         started        130 Antivirus detection for dropped file 14->130 132 Multi AV Scanner detection for dropped file 14->132 134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->134 signatures6 process7 dnsIp8 100 api.telegram.org 149.154.167.220, 443, 49760 TELEGRAMRU United Kingdom 20->100 76 C:\Users\user\AppData\...\cookieextract.ps1, ASCII 20->76 dropped 118 Antivirus detection for dropped file 20->118 120 Multi AV Scanner detection for dropped file 20->120 122 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->122 126 5 other signatures 20->126 27 grpconv.exe 20->27         started        31 powershell.exe 20->31         started        34 grpconv.exe 20->34         started        42 13 other processes 20->42 78 C:\Users\user\...\windows defender.exe, PE32 25->78 dropped 80 C:\Users\user\AppData\Local\...\explorer.exe, PE32 25->80 dropped 82 C:\Users\user\...\System Properties.exe, PE32 25->82 dropped 124 Drops PE files with benign system names 25->124 36 explorer.exe 25->36         started        38 windows defender.exe 1 3 25->38         started        40 System Properties.exe 1 6 25->40         started        file9 signatures10 process11 dnsIp12 88 C:\Users\user\AppData\...\places.sqlite-shm, data 27->88 dropped 136 Tries to harvest and steal browser information (history, passwords, etc) 27->136 104 127.0.0.1 unknown unknown 31->104 138 Attempt to bypass Chrome Application-Bound Encryption 31->138 44 chrome.exe 31->44         started        46 msedge.exe 31->46         started        48 conhost.exe 31->48         started        50 chrome.exe 31->50         started        90 C:\Users\user\AppData\Roaming\explorcr.exe, PE32 36->90 dropped 140 Antivirus detection for dropped file 36->140 142 Multi AV Scanner detection for dropped file 36->142 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->144 52 cmd.exe 36->52         started        54 cmd.exe 36->54         started        106 aiopal.giize.com 45.241.132.125, 4242, 49683, 49684 LINKdotNET-ASEG Egypt 38->106 146 Protects its processes via BreakOnTermination flag 38->146 148 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->148 150 Tries to detect sandboxes / dynamic malware analysis system (Installed program check) 38->150 92 C:\ProgramData\System Properties.exe, PE32 40->92 dropped 56 schtasks.exe 40->56         started        file13 signatures14 process15 process16 58 chrome.exe 44->58         started        61 msedge.exe 46->61         started        63 explorcr.exe 52->63         started        66 conhost.exe 52->66         started        68 timeout.exe 52->68         started        70 conhost.exe 54->70         started        72 schtasks.exe 54->72         started        74 conhost.exe 56->74         started        dnsIp17 102 www.google.com 172.217.12.132, 443, 49696, 49702 GOOGLEUS United States 58->102 152 Protects its processes via BreakOnTermination flag 63->152 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/5a766fb66446e2c4d436167ef0944eb1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
Threat name:
Win32.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-09-17 14:46:47 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
31 of 38 (81.58%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kovuve5zgirzndhs44pkqbylull6dkibbuq5ihrfcahcw2vvc3mq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
admintool_iepassview
Create hunting rule
stormkitty
Create hunting rule
admintool_credentialsfileview
Create hunting rule
zerotracestealer
Create hunting rule
admintool_mailpassview
Create hunting rule
asyncrat
Create hunting rule
admintool_extpassword
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
destiny_stealer
Create hunting rule
Score:
  10/10
Tags:
family:destiny_stealer credential_access discovery execution stealer
Link:
https://tria.ge/reports/250917-r48tdayjz4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Uses browser remote debugging
Detected Nirsoft tools
NirSoft WebBrowserPassView
Destiny Stealer
Destiny_stealer family
Verdict:
Malicious
Tags:
Win.Packed.njRAT-10002074-1
YARA:
n/a
Link:
https://app.threat.zone/submission/98513a36-a8f3-42a1-8e43-20b1060bdf5e
Unpacked files
SH256 hash:
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
MD5 hash:
5a766fb66446e2c4d436167ef0944eb1
SHA1 hash:
845b9220d3cebd020193bf6328f51076c9aebcbd
Link:
https://www.unpac.me/results/ec902da4-6280-4de9-bd81-df4d93c8038b/
SH256 hash:
f76953c27b5c17dd1f1e7d1ee6d856d0060e6e37e16bcd7d32779c0790dd70ac
MD5 hash:
a4331ba952c4fa4861235c7239165ac2
SHA1 hash:
92a9f54e23a71ebd296b5e9ce4baa4140cacf7ff
Detections:
MAL_NET_LimeCrypter_RunPE_Jan24
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/ec902da4-6280-4de9-bd81-df4d93c8038b/
Parent samples :
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
f76953c27b5c17dd1f1e7d1ee6d856d0060e6e37e16bcd7d32779c0790dd70ac
SH256 hash:
3685bc9f3014a7de5d8ad87ecf464d33ee2fb583c657c665e8d753fdd53bcbe1
MD5 hash:
84f94c90716bb797872affbab6670d4f
SHA1 hash:
5555c2c1577c323b91473911f89655d9d436d461
Detections:
INDICATOR_TOOL_EdgeCookiesView
Create hunting rule
INDICATOR_TOOL_ChromeCookiesView
Create hunting rule
Link:
https://www.unpac.me/results/ec902da4-6280-4de9-bd81-df4d93c8038b/
Parent samples :
c1b33d9ce977f2a7c8577c0b88a45b5bd309f7cc73d5f68151d5d4e5aa10a523
7697bddee02bf680693692309514c70a8bb30c70131ba9decaeb9d14cae6e1c5
8c8b9aee1ff113dc4de14fd7e45d8d250c483ba9bfc558cc24bdf777bbaa176f
0f67f24f04c5b2b70ea17aff9311547cd51a7951c5701989ef821e41b47b0ea3
6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
660fbba89f4b2c211f4d6f2a83b270f7f72fed23a6fa59889e3bb40c3b157568
715bb47c2a60942db2cebe81a02e8a8e86b2e6cfc42bde9ed2f19e20b9dd4498
9ea62e79472c5ed05b81d2d98db61b28af2d8f1076b9055b853cd8a4c08f0415
3208513da212e3a87c66a370ff805cd8378bd981c2966e9aba5453d4763f2fa9
b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac
b42e97c12a39ea8ce7d889b1487f497de27a49549467fa8dbf9d8ac9cca9e8cc
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
f76953c27b5c17dd1f1e7d1ee6d856d0060e6e37e16bcd7d32779c0790dd70ac
SH256 hash:
3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e
MD5 hash:
b32c6a7aa90dec9cf15add530fd0cb9f
SHA1 hash:
0a7526959015721d87982f7c145a0741aa53b117
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/ec902da4-6280-4de9-bd81-df4d93c8038b/
Parent samples :
9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e
SH256 hash:
ff37506f2c1d82d61f2eadefe66a685d1142d29b7790d90b76c5969a282cc752
MD5 hash:
e9fd1d72d90e7708e516b9ee0cec5fb7
SHA1 hash:
9eed61535ba7d14ad040511b3d44d4853fd05bf0
Detections:
AsyncRAT
Create hunting rule
DiscordRatWebcamGrabber
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_StormKitty
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_DLAgent10
Create hunting rule
MALWARE_Win_ArrowRAT
Create hunting rule
MALWARE_Win_VenomRAT
Create hunting rule
Link:
https://www.unpac.me/results/ec902da4-6280-4de9-bd81-df4d93c8038b/
Parent samples :
9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
ff37506f2c1d82d61f2eadefe66a685d1142d29b7790d90b76c5969a282cc752
SH256 hash:
e0bef7f04afe55b8d90261f6e64a6f7874dccf9f901080bd0c540e637c80f6dc
MD5 hash:
c58663d4b31ad34bbaa5f377b2ed27de
SHA1 hash:
a29976bcdc7366b1f30afc7280bbea05e42796c1
Detections:
MALWARE_Win_DLAgent10
Create hunting rule
Link:
https://www.unpac.me/results/ec902da4-6280-4de9-bd81-df4d93c8038b/
Parent samples :
e33b8b32bccfb50f604f06a306d1af89ae7b0d583bca20c41fa5811f526aa420
eb2b61a5f15b19bf7dd0ff3914d3019c26499dd693647b00c1b073037db72e35
7c3a49906e67a1928113554ff75f684ee54ab74abcf26ac1211d0cd8726cb086
72b7856f3c6851a36642e952b4fb772b9ea0a6a4075c2ed4b59e60cb922f82e3
6cf0d4b7fd3371e339d9e52aa97cf50c9f2d0e662329507579f645e83e7285fe
c5731cdbb8604adea26e561124d3feb93d600d6062357a7fd3231478a370390d
de22cc3be940674331be243141c5b3e99c375bef12b433c93c17785710647a51
29a8e6a6d00c902fb249248cd1094e22b3041a87b8b60d8e2cb01d738f4931ca
7b544ccaa0faa1e36c64b6fe56829bbdf428fbe5758361e93fad6c1a87679cf7
cc5f0d88e7a634abbfec245547371894e7a617187bb62086d6a7d2fde41982d4
7859144f1586edb705317225bc448262aee1b6a5dd33a17a75338d2458473bd2
bd6ca74d6dc83d0ddf0caa8084facfc3c8dc2bc0882388ba4cf4884a61289524
9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
ff37506f2c1d82d61f2eadefe66a685d1142d29b7790d90b76c5969a282cc752
16a1317ad2b3a3464c1c97066ce8329a96b226607760393c29eb145e8c7c666c
27b4e7871c2374bcfae2fe960fd7fbdfebabc9ca84c2569c45e7438e0d356a78
cbd6d67b967edef057f41ff0a516e827d9b3ad4d99a1ecc1b75e7fa9363101e9
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/53ab4a93b932/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

Executable exe 53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9

(this sample)

XWorm

Executable exe 9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b

  
Dropping
SHA256 9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b
  
Dropping
SHA256 f76953c27b5c17dd1f1e7d1ee6d856d0060e6e37e16bcd7d32779c0790dd70ac
  
Dropping
SHA256 3e5b53f8b01e9eaf54c9879fc832f3f71e6b078b6f4cacc93cad05e2a2ff031e
  
Dropping
SHA256 16a1317ad2b3a3464c1c97066ce8329a96b226607760393c29eb145e8c7c666c
  
Dropping
SHA256 ff37506f2c1d82d61f2eadefe66a685d1142d29b7790d90b76c5969a282cc752
Cape
Cape
https://www.capesandbox.com/analysis/27950/
  
Dropping
MD5 a4331ba952c4fa4861235c7239165ac2
  
Dropping
MD5 e9fd1d72d90e7708e516b9ee0cec5fb7
  
Dropping
MD5 b32c6a7aa90dec9cf15add530fd0cb9f
  
Dropping
MD5 7016b2a3ed6de41897eca95036288441

Comments