MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8aa2d6f1c31710bde2b869b25753b6536a2ce095f865f472061fd3908758fdcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8aa2d6f1c31710bde2b869b25753b6536a2ce095f865f472061fd3908758fdcb
SHA3-384 hash: 4219c2465652063c302854dff5a58f2615b41eacdf1bed8d8309e2c35c8145ca1d2fccaa858df5b259c6be492c61315a
SHA1 hash: 72d20dac871f3ea5cdfdc565206bd378fbcb7b7b
MD5 hash: c0a3be84e0459e4a3e79779d48f2b87e
humanhash: lamp-hydrogen-cola-princess
File name:Zoom_Invite.call-660111329517.wsf
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:5'095 bytes
First seen:2024-09-24 12:05:16 UTC
Last seen:Never
File type:
MIME type:text/html
ssdeep 96:TskWXrHfYiu03P/hyUMl2N6SmxV3xzjpeAD0yRF3tVDQgdjVbi/VKM:/0rTuI3HM06SifzjpeFy7/VUV
Threatray 1'337 similar samples on MalwareBazaar
TLSH T1C3B1C532AE0C76B58EA70481645B7EA5CBADD52E173B04E4BC4D0C2E5361D94C2BF9DC
Magika vba
Reporter JAMESWT_WT
Tags:ALBANIAH3CKER-WORK-GD--7000 AsyncRAT bitbucket-org--xyz491 wsf xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PwrSh.Iex-C.15207.3416.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f2d2cb5346c7b922adae56
Tags:
Execution Network Stealth Powershell Gumen Tori Sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade powershell
Link:
https://www.filescan.io/uploads/66f2ab2f5551d52611ffd44a/reports/d318cfef-9710-4bd6-9ec4-71c28dcd9225/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8aa2d6f1c31710bde2b869b25753b6536a2ce095f865f472061fd3908758fdcb
Result
Verdict:
SUSPICIOUS
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1516965
Signature
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1516965 Sample: Zoom_Invite.call-660111329517.wsf Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 48 paste.ee 2->48 50 api.telegram.org 2->50 52 2 other IPs or domains 2->52 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 72 6 other signatures 2->72 10 wscript.exe 1 2->10         started        13 wscript.exe 2->13         started        15 wscript.exe 1 2->15         started        signatures3 68 Connects to a pastebin service (likely for C&C) 48->68 70 Uses the Telegram API (likely for C&C communication) 50->70 process4 signatures5 82 Wscript starts Powershell (via cmd or directly) 10->82 17 cmd.exe 1 10->17         started        20 cmd.exe 13->20         started        84 VBScript performs obfuscated calls to suspicious functions 15->84 86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->86 88 Suspicious execution chain found 15->88 22 powershell.exe 15->22         started        process6 signatures7 56 Suspicious powershell command line found 17->56 58 Wscript starts Powershell (via cmd or directly) 17->58 60 Bypasses PowerShell execution policy 17->60 24 cmd.exe 1 17->24         started        27 conhost.exe 17->27         started        29 cmd.exe 1 20->29         started        31 conhost.exe 20->31         started        33 powershell.exe 7 22->33         started        35 conhost.exe 22->35         started        process8 signatures9 78 Suspicious powershell command line found 24->78 80 Wscript starts Powershell (via cmd or directly) 24->80 37 powershell.exe 15 24->37         started        40 powershell.exe 15 29->40         started        process10 signatures11 74 Writes to foreign memory regions 37->74 76 Injects a PE file into a foreign processes 37->76 42 RegSvcs.exe 2 37->42         started        46 RegSvcs.exe 1 40->46         started        process12 dnsIp13 54 ALBANIAH3CKER.WORK.GD 94.198.50.33, 49710, 7000 DHUBRU Russian Federation 42->54 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->90 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8aa2d6f1c31710bde2b869b25753b6536a2ce095f865f472061fd3908758fdcb/
Threat name:
Script-WScript.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2024-09-24 11:54:07 UTC
File Type:
Text
Extracted files:
1
AV detection:
4 of 38 (10.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkrnn4odc4il3yvyngzfou5wknvczyev7bs7i4qgd7jzbb2y7xfq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
3a5134cc11c7c47b7268e7bf6bf1556c5ff5044af54b7931cae652bfd8d83717
AsyncRAT
65003b56f231e2913aed2ce8c6e5311778f03762263c43e10daafbb846d687cf
AsyncRAT
ca7c2fbb9989ff738c74492d418a9c411f47944ca27b11ff2f41cd1e4f03b7a5
AsyncRAT
d29f57dd228c45a7176306e87d8f670324a6fcda2e42914b6b96e084be455872
AsyncRAT
f3831d6ca373f539fec77e975ae4fc26451bfb3113513813819ea1111f31a81a
AsyncRAT
fe6e4a3e286bead5bf06a21ea57b4237ac4d0d25b832634f6cc1e743d86c75e7
AsyncRAT
+ 1'327 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/240924-saf2yazcqq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
ALBANIAH3CKER.WORK.GD:7000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8aa2d6f1c31710bde2b869b25753b6536a2ce095f865f472061fd3908758fdcb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments