MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 891a32dc8f10438bfb9ad5249eb77fb3cdc35cc55e127f5c93a27bd7e673779c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 891a32dc8f10438bfb9ad5249eb77fb3cdc35cc55e127f5c93a27bd7e673779c
SHA3-384 hash: 16ea96856311cdc24355368e2023c100a5039eba569a61467d384f97d9beb973d85dc4e7aa4ba879d5fab9abcde998a2
SHA1 hash: 46e152a91b30cd0e750f632f4ff31ea30a6cd008
MD5 hash: 12e6c8fb70c2ecbcaaecabf7ec2bf2c5
humanhash: colorado-lake-wisconsin-twenty
File name:KoGaMa_Cheater v3.2.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:247'296 bytes
First seen:2024-07-10 21:53:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 3072:HBih3YyvuSfbGQwhOvUvLEw4XB0xnzEQ4FReb+i+2JzOXc/s6:h+IkbLVIYJ0xnzSFReb3N
TLSH T139349ECA6E9106B7D3ADF67008B3733D873FA93E6BC38E0E949B2D45573258C8940695
TrID 28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
25.9% (.SCR) Windows screen saver (13097/50/3)
20.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) Win32 Executable (generic) (4504/4/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter Chainskilabs
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
891a32dc8f10438bfb9ad5249eb77fb3cdc35cc55e127f5c93a27bd7e673779c.exe
Verdict:
Malicious activity
Analysis date:
2024-07-10 21:57:04 UTC
Tags:
xworm evasion pastebin
Link:
https://app.any.run/tasks/4e34886c-15b5-4c19-bfbe-1af08c326a4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Msilzilla-10002982-0
Create hunting rule

Win.Packed.Msilzilla-10019837-0
Create hunting rule

Win.Packed.Loveletter-10023052-0
Create hunting rule

Win.Dropper.Nanocore-10024427-0
Create hunting rule

Win.Packed.Loveletter-10024677-0
Create hunting rule

Win.Packed.Msilzilla-10024808-0
Create hunting rule

Win.Packed.Msilzilla-10026193-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.XWorm.UNOFFICIAL
Create hunting rule

Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668f02fb50cbfd4734a899e9win7simulatehigh_evasion
Tags:
Banker Encryption Execution Static Stealth Dexter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm asyncrat backdoor borland_delphi fingerprint lolbin lolbin masquerade packed rat schtasks schtasks shell32
Link:
https://www.filescan.io/uploads/668f02fb7a9d1652006ff4d5/reports/b553d3a5-3038-4d25-9455-3ad42c38c768/overview
Verdict:
Malicious
Labled as:
Dropper.Trojan.Renos.Generic
Link:
https://www.hybrid-analysis.com/sample/891a32dc8f10438bfb9ad5249eb77fb3cdc35cc55e127f5c93a27bd7e673779c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8fc2068-c38b-4344-ae43-a26528c3e6de
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1471115
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1471115 Sample: KoGaMa_Cheater v3.2.exe Startdate: 10/07/2024 Architecture: WINDOWS Score: 100 47 ip-api.com 2->47 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 13 other signatures 2->59 9 KoGaMa_Cheater v3.2.exe 3 2->9         started        signatures3 process4 file5 43 C:\Users\user\...\KoGaMa_CheaterV1.2.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\...\KoGaMa_Cheat1.2.exe, PE32 9->45 dropped 12 KoGaMa_Cheat1.2.exe 14 3 9->12         started        15 KoGaMa_CheaterV1.2.exe 14 3 9->15         started        process6 dnsIp7 61 Antivirus detection for dropped file 12->61 63 Multi AV Scanner detection for dropped file 12->63 65 Machine Learning detection for dropped file 12->65 69 3 other signatures 12->69 18 powershell.exe 23 12->18         started        21 powershell.exe 12->21         started        23 powershell.exe 12->23         started        49 ip-api.com 208.95.112.1, 49704, 49705, 80 TUT-ASUS United States 15->49 67 Adds a directory exclusion to Windows Defender 15->67 25 powershell.exe 23 15->25         started        27 powershell.exe 15->27         started        29 powershell.exe 15->29         started        signatures8 process9 signatures10 31 conhost.exe 18->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        51 Loading BitLocker PowerShell Module 25->51 37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/891a32dc8f10438bfb9ad5249eb77fb3cdc35cc55e127f5c93a27bd7e673779c
Detection:
xworm
Create hunting rule
Link:
https://mwdb.cert.pl/sample/891a32dc8f10438bfb9ad5249eb77fb3cdc35cc55e127f5c93a27bd7e673779c/
Threat name:
Win32.Downloader.Renos
Create hunting rule
Status:
Malicious
First seen:
2024-07-10 12:48:12 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
23 of 24 (95.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rendfxepcbbyx6422usj5n37wpg4gxgflyjh6xetuj55pztto6oa._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution persistence rat trojan
Link:
https://tria.ge/reports/240710-1r69fsvanh/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
127.0.0.1:41896
20.ip.gl.ply.gg:41896
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0bde8bec-71b9-48b4-93cb-9bf2ebe63c4b
Unpacked files
SH256 hash:
2a030039b71232016f5fbe98e8743bf2e2cc797438fff29bb0e23d83a371b617
MD5 hash:
b368adf8590eebc81808003ab7ed449f
SHA1 hash:
b890a1a3dda06b534a0e4efb029d38c7ed9053fe
Link:
https://www.unpac.me/results/0c132eab-646d-4343-a532-77c06f35a816/
SH256 hash:
1102a9608bdb8b1a196dd98c71cf39368e9a7aa4bcf53f08e3d73e9d6ecdb5a8
MD5 hash:
f7dc86de273e29498a129a006a077625
SHA1 hash:
e76de7ae1203049c6f062dbd1465b1ec2d261c35
Link:
https://www.unpac.me/results/0c132eab-646d-4343-a532-77c06f35a816/
SH256 hash:
891a32dc8f10438bfb9ad5249eb77fb3cdc35cc55e127f5c93a27bd7e673779c
MD5 hash:
12e6c8fb70c2ecbcaaecabf7ec2bf2c5
SHA1 hash:
46e152a91b30cd0e750f632f4ff31ea30a6cd008
Link:
https://www.unpac.me/results/0c132eab-646d-4343-a532-77c06f35a816/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/891a32dc8f10438bfb9ad5249eb77fb3cdc35cc55e127f5c93a27bd7e673779c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA

Comments