MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 13 File information Comments

SHA256 hash:	7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef
SHA3-384 hash:	700a97d82113489ffb8b69be51fd36c407189090e8681048ab556131e482b0d831382e5aa1083bcef4b07c344fd7f61b
SHA1 hash:	c3b4c41bd9069acaff2816ddc6a99988c9eefea8
MD5 hash:	41dc167b623d1e1d03a4eff1763774ad
humanhash:	iowa-wisconsin-michigan-king
File name:	EFCR_TA_695480 - FCR+E-INVOICE SO 7057 - CARGO READY DATE 2024629.PDF.scr
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	561'152 bytes
First seen:	2024-06-21 09:46:44 UTC
Last seen:	2024-06-21 10:24:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:04L+hETMUnJEz70ABnr9vQ0nqSbBZF70hiolTm+k:3lEz70YWKB8Pl
Threatray	2'647 similar samples on MalwareBazaar
TLSH	T167C40182B2948EC7CD7D09B0B474495A03B6BD56F810D64E2ECA36CD6EF3B92161361F
TrID	53.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.7% (.EXE) Win64 Executable (generic) (10523/12/4) 4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.3% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	fefefff9d3dfc0c0 (5 x AgentTesla, 1 x RemcosRAT, 1 x AsyncRAT)
Reporter	threatcat_ch
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

370

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef.exe

Verdict:

Malicious activity

Analysis date:

2024-06-21 09:49:00 UTC

Tags:

netreactor xworm remote

Link:

https://app.any.run/tasks/137a8ef7-cdb2-44f1-a6c2-5d3878fe607d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.7213.18864.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66754c1950b6d35655cbdab6win7simulatehigh_evasion

Tags:

Banker Encryption Execution Generic Stealth Heur Dexter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Creating a process with a hidden window

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/66754c1b0bf5978c0b11197a/reports/8eae4fe3-45c7-44dc-88ef-23a1ed7eda29/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8e1e5012-2756-4c23-ba26-4c29f4cfc9b8

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1460653

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Snort IDS alert for network traffic

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-06-21 09:47:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=o5yo3xpjudwpiovo6iuzl6ukklp2a5fe6j6pmxryi6iippdrhdxq._file

Verdict:

malicious

AsyncRAT

73be2761ef92433223e1775047b843d237dd5994e1a7ca3dc994e3737a2a7f07

AsyncRAT

7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef

AsyncRAT

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28

AsyncRAT

af2150ebafd8f655bc625da183bfa64597a6e16456f3be68b47830e418fdf2ac

AsyncRAT

+ 2'637 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm execution rat trojan

Link:

https://tria.ge/reports/240621-lr7gwsvdrg/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Drops startup file

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Xworm

Malware Config

C2 Extraction:

104.250.180.178:5414

Unpacked files

SH256 hash:

bffcade57f5185eac91b295629fbad6e5864c64e2e9fade026b2aa4f545e2554

MD5 hash:

ea1aad41ed4891934891ad0f18bfb96a

SHA1 hash:

4cfa8b85564b4bbf2a12c3dc5694b0a5605d5bf9

Detections:

XWorm

MALWARE_Win_XWorm

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

Link:

https://www.unpac.me/results/ebce771d-35c6-4f1c-b0a2-7bba4113c2ff/

Parent samples :

7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef
c5b0b32f802212f9064e44546d4104ab79da10765e91abb13a5e8469c6e3156b

SH256 hash:

989507df3a99a6c893c70bae14fddd0363e5c859d1ee5701ab7e8141b1921a71

MD5 hash:

015dbef47bf1b8b49e80f441ead4c779

SHA1 hash:

49133720d3fc6320ef0da3927d81e20076aa6019

Link:

https://www.unpac.me/results/ebce771d-35c6-4f1c-b0a2-7bba4113c2ff/

SH256 hash:

38e4d46721467657ae26bd49abd1142e394bdedcd858de6c898dc3d98f27ac4e

MD5 hash:

bed37cc14792c6a2d9c57d4f672b9a50

SHA1 hash:

252ff5cd27103f48d5f06de98c4ab8276802bcf3

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/ebce771d-35c6-4f1c-b0a2-7bba4113c2ff/

Parent samples :

fefe641b6760cae3c05d6201f81f695bd15acc2937c2c060f7217975ea621dcb
eaa2120eb5d6104aa77fb5da019934bef8e84fa65606993766007712ccd0c521
7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef
09e3e78eca5cf1f5474e8998e3f87f9268f127f77bf306443855a7ae5244e15c
df83a2880c473c9491465e517ca3fdeefb533e3520b13432b7e6f063ccea8247
ace149a232afd3aa170b48d79a32502f7b3ebfb1a82de8b4fa362ae2652859b2
4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e

SH256 hash:

9a577d31e2c9a641f75ddaed2b0c4009e283d51c005e3fbbca81786bff761f21

MD5 hash:

ed61a5aa0f4d1ce89382122fd40086cb

SHA1 hash:

12d91d13eec29f2fd66fa4884d26798ffb2e1b34

Link:

https://www.unpac.me/results/ebce771d-35c6-4f1c-b0a2-7bba4113c2ff/

SH256 hash:

7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef

MD5 hash:

41dc167b623d1e1d03a4eff1763774ad

SHA1 hash:

c3b4c41bd9069acaff2816ddc6a99988c9eefea8

Link:

https://www.unpac.me/results/ebce771d-35c6-4f1c-b0a2-7bba4113c2ff/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7770eddde9a0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ByteCode_MSIL_Backdoor_AsyncRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects AsyncRAT backdoor.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	win_xworm_bytestring Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects bytestring present in unobfuscated xworm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

exe 7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample