MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd
SHA3-384 hash: 9876b1afa0890418bc635742b1da2741eddf66f4e1c61e4665feaa0de23d42b3913c43a801fa9fdd0c4dcf6e8b10257e
SHA1 hash: 7ff5441adf6b751704534c979046d5698dfdfdb1
MD5 hash: 3094dc3bf3dacc07b7ae62e6cb53e02d
humanhash: alabama-winter-music-muppet
File name:kixx.js
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'476'882 bytes
First seen:2024-10-01 07:14:58 UTC
Last seen:2025-01-24 02:22:55 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 1536:u3BYP+9LHqamUMgVSnD5MOUbsNZoxOhjPFi/nZky:aM+9jDWgVSnD5QQNZDhjdi/1
Threatray 1'639 similar samples on MalwareBazaar
TLSH T10F65D4FCF5851F2AA352605C9AC8585D37B2E731F5D9CF102668670AC18EC2B87D8ED8
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika mp3
Reporter JAMESWT_WT
Tags:192-210-215-11 AsyncRAT js

Intelligence

File Origin
# of uploads :
2
# of downloads :
364
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28399.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fb8c0158399e4484e7a777
Tags:
Exploit Keylog Word
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66fba180718049dcaee50774/reports/854e7b92-00a8-446a-820b-f8c92307235a/overview
Verdict:
Malicious
Labled as:
JS/Agent.BBJ
Link:
https://www.hybrid-analysis.com/sample/8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd
Result
Verdict:
UNKNOWN
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1523187
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to disable the Task Manager (.Net Source)
Creates multiple autostart registry keys
Found malware configuration
Injects a PE file into a foreign processes
JScript performs obfuscated calls to suspicious functions
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523187 Sample: kixx.js Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 52 kizitodavina.duckdns.org 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 62 10 other signatures 2->62 8 wscript.exe 1 2 2->8         started        12 fzP.exe 4 2->12         started        14 Service.exe 5 2->14         started        16 fzP.exe 2->16         started        signatures3 60 Uses dynamic DNS services 52->60 process4 file5 50 C:\Users\user\AppData\Local\Temp\fzP.exe, PE32 8->50 dropped 72 Benign windows process drops PE files 8->72 74 JScript performs obfuscated calls to suspicious functions 8->74 76 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->76 18 fzP.exe 2 4 8->18         started        78 Injects a PE file into a foreign processes 12->78 22 Service.exe 12->22         started        24 fzP.exe 12->24         started        26 fzP.exe 12->26         started        32 3 other processes 12->32 80 Antivirus detection for dropped file 14->80 82 Machine Learning detection for dropped file 14->82 28 Service.exe 14->28         started        30 Service.exe 14->30         started        34 3 other processes 14->34 36 5 other processes 16->36 signatures6 process7 file8 48 C:\Users\user\AppData\Roaming\Service.exe, PE32 18->48 dropped 64 Antivirus detection for dropped file 18->64 66 Machine Learning detection for dropped file 18->66 68 Creates multiple autostart registry keys 18->68 38 fzP.exe 3 18->38         started        70 Injects a PE file into a foreign processes 22->70 40 Service.exe 22->40         started        42 Service.exe 22->42         started        44 Service.exe 22->44         started        46 2 other processes 22->46 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd/
Threat name:
Script-JS.Trojan.Vjw0rm
Create hunting rule
Status:
Malicious
First seen:
2024-10-01 05:43:32 UTC
File Type:
Text (PowerShell)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6rkw4ps47ccoylhyilxpdab33pxcbj37hkm5zjhj2gao7xte7oq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
48e07efb20903e74d800dfd9cd450fd1ee206e27ea4681b4c46e0e225b788b15
AsyncRAT
4fdaa4266620e0871b078e2ec55e3eb40039e790dd3ea4553e8f631b593ac28c
AsyncRAT
6840b6d84f7c7190424fd465e466e2477e7c8a781457e2c6dcd523df498cea3d
AsyncRAT
6d04562cf9d1e0ee7b7c77af40e1e3299b6eba9375f35978d9776d94a9dae3d7
AsyncRAT
8048406056b1a1a91b56725c1c0b89e3b8060bf5a45861484a73728d222ccbc2
AsyncRAT
8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd
AsyncRAT
cfe5641a801f7e3123992589a5543f667d77d86e2880c1163fa61517d4bcfb2c
AsyncRAT
error
AsyncRAT
+ 1'629 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/241001-h28adsxbqj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
kizitodavina.duckdns.org:8645
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8fa2ab71f2e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments