MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9df90a24a3cb4e7aae390cb2ebf9a46a87b9f8811a9501236aa4d2238e21aabe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9df90a24a3cb4e7aae390cb2ebf9a46a87b9f8811a9501236aa4d2238e21aabe
SHA3-384 hash: e2ef756177f68e00a460ca57d4bc11f5f27d9a8af2962bbe8e8c4ce3e417b659f949f476afc5aff43b5aa0f14383cb1b
SHA1 hash: 042aa244034c502ffae9388f20a18f725a5d2662
MD5 hash: 8142318ee24f849e498a0099d1e13527
humanhash: black-william-vegan-mars
File name:SecorKit.bat
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:4'783 bytes
First seen:2025-01-19 15:19:27 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 96:YffEZlzCHjf6DzCHKVfFfKiCNqwfBYPCNq3fafT2CNl:EEZluj6Duw5K/zBDU+TDj
Threatray 2'068 similar samples on MalwareBazaar
TLSH T131A1821607DB06F71536F3D41B27B1FEA946CF42461B04C9EB680B193B60E796C9DC86
Magika batch
Reporter aachum
Tags:bat xworm


Avatar
iamaachum
https://github.com/7s7sh/XWorm-V5.2/blob/main/XWorm%20V5.6-obf.rar

XWorm C2: networks-vitamin.gl.at.ply.gg

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecorKit.bat
Verdict:
Malicious activity
Analysis date:
2025-01-19 15:17:03 UTC
Tags:
reflection loader xworm
Link:
https://app.any.run/tasks/114dbb82-cfb3-4fbf-9528-fe4fba0970d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678e2c65e708b6e7a3ad8641
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Running batch commands
Launching a process
Creating a file
Using obfuscated Powershell scripts
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd dropper evasive find lolbin mountvol powershell svchost.exe
Link:
https://www.filescan.io/uploads/678d18262a063b4c6e889ed8/reports/bbfee6eb-cb2f-46c0-81ae-96ecb46ac469/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9df90a24a3cb4e7aae390cb2ebf9a46a87b9f8811a9501236aa4d2238e21aabe
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1594647
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594647 Sample: SecorKit.bat Startdate: 19/01/2025 Architecture: WINDOWS Score: 100 31 networks-vitamin.gl.at.ply.gg 2->31 33 files.catbox.moe 2->33 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 14 other signatures 2->51 8 cmd.exe 1 2->8         started        11 XClient.exe 1 2->11         started        13 XClient.exe 2->13         started        signatures3 process4 signatures5 53 Suspicious powershell command line found 8->53 15 powershell.exe 14 18 8->15         started        20 conhost.exe 8->20         started        55 Antivirus detection for dropped file 11->55 57 Multi AV Scanner detection for dropped file 11->57 59 Machine Learning detection for dropped file 11->59 process6 dnsIp7 37 files.catbox.moe 108.181.20.35, 443, 49704 ASN852CA Canada 15->37 27 C:\Users\Public\svchost.exe, PE32 15->27 dropped 39 Drops PE files to the user root directory 15->39 41 Drops PE files with benign system names 15->41 43 Powershell drops PE file 15->43 22 svchost.exe 1 5 15->22         started        file8 signatures9 process10 dnsIp11 35 networks-vitamin.gl.at.ply.gg 147.185.221.25, 49705, 49811, 49954 SALSGIVERUS United States 22->35 29 C:\Users\user\AppData\Roaming\XClient.exe, PE32 22->29 dropped 61 Antivirus detection for dropped file 22->61 63 System process connects to network (likely due to code injection or exploit) 22->63 65 Multi AV Scanner detection for dropped file 22->65 67 2 other signatures 22->67 file12 signatures13
Score:
73%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9df90a24a3cb4e7aae390cb2ebf9a46a87b9f8811a9501236aa4d2238e21aabe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9df90a24a3cb4e7aae390cb2ebf9a46a87b9f8811a9501236aa4d2238e21aabe/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-01-11 18:46:01 UTC
File Type:
Text (PowerShell)
AV detection:
5 of 38 (13.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tx4qujfdznhhvlrzbszox6nenkd3t6ebdkkqci3kutjchdrbvk7a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0515dceafb2ac3a01d779111aabc07e0876b573b67df42af4e183243e7c506ff
AsyncRAT
15beca1f15d1866bf0c7a86b5217f4980b2214d22c44867e89cd872056e4c497
AsyncRAT
75096dda61a68ec57361d1d25972a28b7fce9c676490ec2aa4aa3e018536977e
AsyncRAT
b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc
AsyncRAT
c735c657b913747ba41f2b11498e8c0e138cbcd852c52540e17cda2a1ca8ea52
AsyncRAT
error
AsyncRAT
+ 2'058 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250119-sqqw3stnhr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Deletes itself
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9df90a24a3cb4e7aae390cb2ebf9a46a87b9f8811a9501236aa4d2238e21aabe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Batch (bat) bat 9df90a24a3cb4e7aae390cb2ebf9a46a87b9f8811a9501236aa4d2238e21aabe

(this sample)

AsyncRAT

Executable exe 15beca1f15d1866bf0c7a86b5217f4980b2214d22c44867e89cd872056e4c497

anyrun
any.run
https://app.any.run/tasks/114dbb82-cfb3-4fbf-9528-fe4fba0970d5
  
Delivery method
Distributed via web download
  
Dropping
SHA256 15beca1f15d1866bf0c7a86b5217f4980b2214d22c44867e89cd872056e4c497
  
Dropping
MD5 d1a871dd91c12b3c2504f783e591ea67

Comments