MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8
SHA3-384 hash: dee5435f3312e8b4de1a2805ac707d22925bb4bea5085b682b95003ca67286645b24f5667905d0445ab6cd9432487668
SHA1 hash: ea9768e2d12ade5866e52ab2cae7928e0c1e1372
MD5 hash: d5b02eb896eef008b4d22c9466542a51
humanhash: one-eighteen-five-jersey
File name:IMG465244247443 ORDER Opmagasinering.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:569'352 bytes
First seen:2024-10-23 07:17:27 UTC
Last seen:2024-10-23 08:28:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:rdV4xeRyvdSpdfFTmikSTfXCpKgIDbZqGoRA8kR:rX4NAT6efX4HWfZL
Threatray 271 similar samples on MalwareBazaar
TLSH T142C49DD03B363719DEA95B759259DDB593B22A68B004FAF269DC3B87318D3509E0CF02
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
438
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG465244247443ORDEROpmagasinering.exe
Verdict:
Malicious activity
Analysis date:
2024-10-23 07:22:01 UTC
Tags:
xworm remote
Link:
https://app.any.run/tasks/7888dcf2-d312-43d9-8947-ee5f04cf6011

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.7726.14542.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6718a4179e67c246820366c7
Tags:
Powershell Gumen
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed packed packer_detected
Link:
https://www.filescan.io/uploads/6718a32eb21b1aa5a91999c2/reports/7d63b7ab-8503-4ea6-affa-b20203774ecf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7a58b24-37fb-4a13-93f6-6f391935f422
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1539993
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539993 Sample: IMG465244247443 ORDER Opmag... Startdate: 23/10/2024 Architecture: WINDOWS Score: 100 75 aarsallc.duckdns.org 2->75 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 89 16 other signatures 2->89 9 IMG465244247443 ORDER Opmagasinering.exe 7 2->9         started        13 qjlmyIKipfQSY.exe 5 2->13         started        15 IMG465244247443 ORDER Opmagasinering.exe 2->15         started        17 IMG465244247443 ORDER Opmagasinering.exe 2->17         started        signatures3 87 Uses dynamic DNS services 75->87 process4 file5 67 C:\Users\user\AppData\...\qjlmyIKipfQSY.exe, PE32 9->67 dropped 69 C:\...\qjlmyIKipfQSY.exe:Zone.Identifier, ASCII 9->69 dropped 71 C:\Users\user\AppData\Local\...\tmpC382.tmp, XML 9->71 dropped 73 IMG465244247443 OR...agasinering.exe.log, ASCII 9->73 dropped 97 Adds a directory exclusion to Windows Defender 9->97 99 Injects a PE file into a foreign processes 9->99 19 IMG465244247443 ORDER Opmagasinering.exe 1 5 9->19         started        24 powershell.exe 23 9->24         started        26 schtasks.exe 1 9->26         started        36 2 other processes 9->36 101 Multi AV Scanner detection for dropped file 13->101 28 schtasks.exe 1 13->28         started        30 qjlmyIKipfQSY.exe 13->30         started        32 schtasks.exe 15->32         started        34 IMG465244247443 ORDER Opmagasinering.exe 15->34         started        38 2 other processes 17->38 signatures6 process7 dnsIp8 77 aarsallc.duckdns.org 192.169.69.26, 4087, 49764, 49790 WOWUS United States 19->77 79 104.223.35.76, 4087, 50023 ASN-QUADRANET-GLOBALUS United States 19->79 65 IMG465244247443 ORDER Opmagasinering.exe, PE32 19->65 dropped 91 Adds a directory exclusion to Windows Defender 19->91 40 powershell.exe 23 19->40         started        43 powershell.exe 19->43         started        45 powershell.exe 19->45         started        47 WerFault.exe 19->47         started        93 Loading BitLocker PowerShell Module 24->93 49 conhost.exe 24->49         started        51 conhost.exe 26->51         started        53 conhost.exe 28->53         started        55 conhost.exe 32->55         started        57 conhost.exe 38->57         started        file9 signatures10 process11 signatures12 95 Loading BitLocker PowerShell Module 40->95 59 conhost.exe 40->59         started        61 conhost.exe 43->61         started        63 conhost.exe 45->63         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-10-23 07:18:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w6bpdal6d2mrr4ll64e7o5vgp6bg4o6olvwuujh3gvmr5e6dndma._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
xworm
Create hunting rule
Similar samples:
2f89944e9e1a59602a6d50e917c092e30467f83e312bb1bcc5e758109766cd94
AsyncRAT
31684d56968063e799ddb7f470216b3b2114531e3a500439d5db90ac337800f0
AsyncRAT
b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8
AsyncRAT
error
AsyncRAT
fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a
AsyncRAT
+ 261 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/241023-h41ckazbmj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
aarsallc.duckdns.org:4087
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8d4de891-7b9c-49db-8a53-cfebaf078525
Unpacked files
SH256 hash:
5a8dee8ad02ce8e8cf68be14a503b40434bebaf95aed7e43780ff1bf9ca1c98b
MD5 hash:
4ed2c456ccedc1e018c96751c1ee35a7
SHA1 hash:
da0dd92002188fda55e7058f38f7a6cd082f40c0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/282aa78b-4c77-4463-bc3f-fc02f2074050/
SH256 hash:
37fc4b448081a28dc372970daf4055fc5abf6361762ac243ace4216cb1c1b62f
MD5 hash:
89b8bd4d8e8238ffd6cb62fdf9d9f97f
SHA1 hash:
6121dcaf8cd7ac5f8beca0ad4ced4e75faeddb15
Detections:
XWorm
Create hunting rule
win_xworm_w0
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
win_xworm_bytestring
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/282aa78b-4c77-4463-bc3f-fc02f2074050/
Parent samples :
31684d56968063e799ddb7f470216b3b2114531e3a500439d5db90ac337800f0
5942a6b4e4e062693a6a5ac7b8f1205ebfc6e010964e19503909ea31c12fcd76
b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8
SH256 hash:
69e80e2053b50c69801f775539c165df6854ce1a322ec13b7e33b88891f33d50
MD5 hash:
8ebd65076ae14cdecd88fb251687c1b4
SHA1 hash:
0984e199c4f3b2564502bf0829f460d4d6a239be
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/282aa78b-4c77-4463-bc3f-fc02f2074050/
Parent samples :
0e451ce1db9f82077de2d8f16f2010e3273795cff50c64ca515e7f9f0401022d
0004912ccca96809295d0383d2febcd100a386ed262d9912f1a02e886ae460c0
79d9270edbf86a9503b71bb27d04a88c1f8506fadad7b702adf97c5893f6cb14
326d05c29c46e6ca7f2f1a9b534d8a2ffb98a13f74f8f26fff2057ad1f8e0ca8
b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8
ba8e5ccc4ac917a1879ef845414426b2488839f73ef5686a164fa4844cc5ad25
2b845ff4c5ee973861ccb905e73fed0bbd46ce5e311fc8910d188ec839226f58
1a9b0e1d73f7686b25b45d271edba4eaf6c93ae114e6805d5e39440a7e927353
8ef601ca3c9f083d30e8c32c00ebe899cdf8129b5e9c7e6a38c28c84aeddc19e
5e5f01b0156a414f1c7679f6251f8fbbe756af69be174d5db6ddc2b119f80d2d
9c28e36405c311ffb063f1afa6f478d18923101078d042d3bfc6148475b34969
7485c7b439341ddefbc3a27c36fd79acd5bad67aed05e9ccdaf7689a6d71ab23
9f7da651412232824c868086dd48a7d63af0dbb007cef4db8c24edda9b2fcdbb
0b729e5930396c075dbabdbcc27a8bb8ce84f64da23c9eb4eddb8996793064f4
195ee9a9f96abb146c2c217c659c7cd66093d607b9a64a1ffe976a32eee81b2c
c9f499071a2c316423ddf925f9a2e2a77dbe95f7cfc078b89413525b8adaca70
9586ec674a0e4b7558bcb9df6a8bcde244d05658f818aec5eb86328fc9d14ffd
6a92c0e725d1b223168728cd7be319783abbfcc1f61c941bfdff7eb6a51ddeb6
a99f8a264c968ef7d4815a0bf6d53854d7c26da69adba84750c48c58bfea7384
f68c0c40aa651d080967ea4ea3c389fc1e3dbafcd097ac10f01374d0f6ae52d3
5bf41f92b016c6c045f3b10573788b4c7cc6b11e20b2a57ae5d4943c1b160da4
7b57e6494bb05f09e8a09a69b3c9f28239fe18cb469d223826c95bee2d650197
5994cf17202884f994b3e294fca7cd9c2847b6c98a0bdb5e65cf164f830197a9
1ca6029a90c9b8fcda0505d239c484552125ba7c4c5b761893f8e39360313212
9e5177707ef7c11e094da7ecf785ac2e7c2839238f9380d9730c96d77646905a
7b70d479034f458a6b695cc3c8aefd50c771ec183b749276aa66d18a6a33466c
f52a93f8fb6a1b20bd591f6bf9f7d68acfc0e8dd6ea5413faf3619017a3b8166
fea39de44dd9f6382637a9a218d2d5002627ce79a37f2dfe0d6bacb51a2de873
c51201337af75df4850b5392117e54eedfa2f1ac133e891947ece8102cdda0d0
4978a378806fd5d68c08ad4602f80d3f5f1f870cb072475bd32b7a8ca32a3d88
d4dc6255180dddc7a357859b31436c86163985754f3d1aeaae7a0d226c2f0c50
3c5eb265426debe4db238f71aa5b259e175577a7d41d72294a1fc5d9252a302e
e93171125e897ba3a556f1b0171629d2a9aaa3298510f97b5d7cda44b9c3c313
066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
4ed108b6fefaf7195648ba17ba194f04e8db13cec7e1adeb56ecaafa970f8d21
bcca185afcdcd92fde60a3d4676f7efd40126e9ce50d9971f7e725bd04b8bfb4
a27e29b26b25a83e2d17a66ba98e51c93915364d03998cdad25965c3fc2104a4
96e41c2d613926361afebfc693537919269ae11f3ff721eb4f60bf823258e154
509813e832b9659b8ca77e515e23dcae3da52d4f9118588f5c853cb87e1ee0fc
57c6eacd0d42af3c215de528aee004f67a74097b8844ec110f56e60039fa9dfc
88bb9bed8031190a16d24e5e26de559fb3ba8f7cda489b8f09cb40e2e1f2df9a
44ab353624b9e867ae31a0523437ed8e321f361d248b471c15bd2902255280f3
481d35dd2f799eae40ecf9965a7c41b2aec41770260870199f2188fb728e49c6
53ef40005eacaaf2c37175d6f38dfa8d9efe91d4513dc545cd7176924d9e64ef
dc1efbd6c77a9b2318630d1f67eace04e80c13bdb5b60e5ec217ea79c6c0b29a
736b209eebf951e82c1854a0149aa159f609e6bf202225ba58793108cc26ed33
b9cd08fa3f2928d85b9261a6ad4a877cb9fc2ed58f4bc28fcd00aac48aefc4b4
862a367b1e130dc47d08a2d4ce26bec8d85196f00c1a3f6c0df4fc5f099139cd
70494a9ed1d509c12c48aa4dc68f06f73bee77a18a625b576dd515e9f4e0d6c3
548c158482e4cc2f2b6c931c92f66dc70a0e35c8a8031709249f8634e10e0108
50bcb2857ce3d005fad3479253fa1c7a8cf0cd667c16d9d7c292d9307011dadf
5dd4ecebe78e332ed6cd0a8b0dc67e50ec8582c5fdcd19451f6ebcf4eaffe236
4aa7d5055d37293efea2b6d715e655f07f3b153f31651278c7576575e7247769
e4e6cabfbbd9b6fb09181e531f3d73a8ff2482d2d6aab08e27f65d9955388e1b
cc97cd2834a545c6f4e89aea88a758f9fd880586f55d21dda5c8dd2017ed689b
d36e2205185dc5e60a4036f2f7ab73952ee57b9936ff4c7241f4f50bdd615390
04dab42e8f694a3fac6b3ea2532462e89e9118c928545710a872d34874376a49
e64bf07778d6213ab62a2e94e764053d4378192b836715aa6552405de1e15832
e3247719d50e98ed0c802eb40efcf7f30d45de6ad0c09efb201505bc52a95869
2a8b2b69971d0be12c21d4117e3068c8c69b10cdaccec97225fa318eb2040cfb
c808c0c3fa3065742e408db2529ec659ccfc81c4bcff0b58020b3387d292e362
08591ed45402ad065bab1aaf06a05a2d7c9264695b00299f5059ebaf26584a59
ec66f68731b1c186ac1c87c2520106f85e2a25951303014b9163f51c476846be
c42c5e19c13ff40e49a51fb71208e781b24e116527260e2620ad7f665892962b
0751a8aa6a5a7b05bca94d02f3b5d7907455db416f6d7caa2e79a55f51033f98
26031e5d2026ed2a718c80fbbfa8e7c86b2d8b7e35a28e02b6bedd7ba63393cd
a1777be6284799cc06a9d9072f4f3d2181287fb7770cbd7dbfb5bbd7d031dc30
4054be2fdb0bf34a0eefaab9863357ed3fdf5b8884f8861cee60a8cd4e054019
b648506a859a6eecb51355d7cf78e6233c99e51d190a5fa068706f1fe511b209
03207279845f2d90be8cd6b3b525c4a236838c52def79c0afffbdf7216a03b7c
2cabc41b8e44e0101ceca0923c6abbd2459aabeff1831d700f2cfd1e3487dc20
ebe2099ee35888eaaff59d9fbcf780687a6c9cf9c87511aae8ce959c7e1fc193
cc3fe65f9d8dc99dd62570dbc56059d89d93676f54ec85b40e4f7f109469a2a7
f2f155e13e62cba6ebe8140f53d774bb25688af67f1f1146b53d6739e4e4d551
cf18af34e360f0f773f774ce7231f28f6b471fa1b1739e91df0d4cfb943774e5
45def37a33ac8c66332d64929636aa908916c5a4c4b17ff5724de5564d066105
46b9f240c30b0d9df9d6663ab317f0fe20f7b5ebc3b2479ed8e00926f672e065
c12fea808ada9c7021f276abee33046f80815d426a8ebb8376603d5272828106
7a67d110bc1f15c95d420969b5ac6a78ae1d3c6d0f7d4e913af4a7db142a461e
80198d34743fba1b648e8d5d4cc500b7f1a5a1d0b960d7ff36cb9ab24ef8f4be
d85f1308c23e3f9e3cefcf98c1c091b2dafa3891bd6161077bf45b637fe5eba8
3a52334a83d46e6cb089b679a46ba9c139f784899f6f93866ebb92d74d3f7419
7c16b7255a7868abab3dd01209c76b10dc02d60896464f31150e5865d8597a4c
0bc8eae9fe2dc6af83e1b798f9a6b5ef27117c5b8462664a944fca34a4e1e464
3b7cfe74a6a990cbe6aefdba86c66a82f6db333fcb30f1ff7ee04e2c7db492f3
c55ad029c3701a693dd7bebefc90a13766f75972819faacc93fd1b57039f26b6
46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93
3500bbffeb19a0e63ba255abcbc2f7c3a5985aa6f4eda3490dd7a795bc546540
1eef3c00ea6fe6b3e757e7ee213f2cf19a76cb290ceb108b5dc63fe7eb86012c
d7bfea7d65bd99597f52daaf771da4b372cd9426a6b082d3917f4b90a5294411
e6c445aaa12dbccdf507ee868b1525f444593fcc630320cc26dcef3a9e8ed9ee
2ac0f7676c93f8e7dd280d66275db67df90e921a17c4e04a3e30dcef51220f94
a016acf58927fad6824f4d8b2c0426b5819d37d3b7c8e83d5cce6aad5c169b42
7fef9fc48835f5ad1c726a78a1feac7e7f9049267155bb452a476af6d2694fbf
e8d95180d71d9274ab398824ffe6d3ffe95c885fc371d1c39d27c7d956615c4a
e153c301755ec01f846fb4b2af474a4835687f1682e2b1937d756c6fd3842ea7
5262b9de957b7f13968eac9cad2b977457ae86b84a455544871af143177865ff
07e7e02b535db6f43ff43945aa322faf362d8925918e70aee11c8057cf4dff9b
b01331115c8c947787895d377575f97633ea4dc4b274efb60d1fcc4ecf7647d4
f7ed62ff74c9d1adef3366e1db59511d6963804b3e73b0dcf3a4ce31c9bad83a
0c8bef54254904fc28a79b54a7935b5611828397c78fd949440cf57a59038406
f5af8baf6ef16bf20764cd701bd86369b52f5d554c8b1eca44b7515ebda6fa02
8feed4062b93ff232c8d624baf73699d1e25e2a745717d73ec648d498c44bc45
493218a40cbf407847bbec867d10d27b58af8c60b75c1ff157a17c0feddb375d
e6490ebeca6cebf5d93f9a70d60f3284d85588cb4f699821ba23a7a68127e7e4
6e13fc43be80b7d70a78e5d768e87459d04d291fe229cf07f7aa5e6a55c64514
52a2b314fa79c70585a563940acc08acb53f22a15d44314c46b5490cf1b181be
593995d24730f261cde9c772b7fddbbc57b02d36418905ba7a95b78609d4a258
8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad
9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d
be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6
d1b74631302b5c504591567f870ce97e2b449e9172da6bf07a24d12923b9366c
3f1a1db52a4fc4fcdcf257626740eb9662546e6a17592d575e4ad2bac6a3748b
20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79
ddca7740e832942313e7bd03a5670bc03cb09d8113433826e252666eeda046ab
SH256 hash:
b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8
MD5 hash:
d5b02eb896eef008b4d22c9466542a51
SHA1 hash:
ea9768e2d12ade5866e52ab2cae7928e0c1e1372
Link:
https://www.unpac.me/results/282aa78b-4c77-4463-bc3f-fc02f2074050/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b782f1817e1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments