MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments

SHA256 hash:	cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651
SHA3-384 hash:	f32d4364013433e7cdb4f8127181772b7bd600dd253174a26b0bc6d1e9d1ff603bed52df0bf80cd6c0f175cd20213b8c
SHA1 hash:	fd7eaa628f424fc1384bcbd926a551c8e60740db
MD5 hash:	ff3aea929347d0168b02de5d2c2bcec3
humanhash:	mockingbird-leopard-timing-double
File name:	高力 ISF - HBL# KLAX24054012 SO#5483 - AMS# OFSHKLAX24054012.scr
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	521'216 bytes
First seen:	2024-05-30 11:45:06 UTC
Last seen:	2024-05-30 17:25:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:lUrKkGdrJwKcItNXOMaFshRSxD1ulXrvNE53jHd:DcA9NEQlXTaT
Threatray	867 similar samples on MalwareBazaar
TLSH	T1B0B4231079394967C5FA04F7056223104FB2B16B6D22E7CD8EE6408978F2F126A57FBB
TrID	61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.1% (.SCR) Windows screen saver (13097/50/3) 8.9% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	abuse_ch
Tags:	AsyncRAT exe RAT scr

Intelligence

File Origin

# of uploads :

# of downloads :

405

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe

Verdict:

Malicious activity

Analysis date:

2024-05-30 11:48:25 UTC

Tags:

xworm remote

Link:

https://app.any.run/tasks/6c1d864c-b0a4-48e6-9501-b935ec49d6ae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2872.28963.28748.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6658673620ad30d287677133win7simulatehigh_evasion

Tags:

Banker Encryption Execution Stealth Nekark Dexter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dff952ce-d3ee-46b9-a823-d578c1ae2af4

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1449528

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-05-30 03:19:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zxwcfn2g3fk65jfjsxgam6k2bfsk6m2ntlki3ftg7jrrz5mu4ziq._file

Verdict:

malicious

AsyncRAT

4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf

AsyncRAT

6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338

AsyncRAT

6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e

AsyncRAT

8d8533278822162961e4bc205ed8e8ca33254c6653ce90bf22f8f25580d72ab1

AsyncRAT

c39365657b596c0e0d5599d177ec383659d23d24d1e529fcf2eeef2c8f82e5f0

AsyncRAT

cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651

AsyncRAT

+ 857 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240530-nxaffsha54/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

94c1b83e9181e597748af34aa30324fa001324bd12d33b12aa01e2a05ba779d6

MD5 hash:

090b76b0c6152ea71f08d1e9ae8f3742

SHA1 hash:

ff5ca08e6d69cb68a76422e804b0574d551ed20e

Detections:

XWorm

MALWARE_Win_XWorm

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

Link:

https://www.unpac.me/results/ab524c6b-dbcf-48e1-841d-134b7263f90d/

Parent samples :

da2b56af1ae9569c8848e2a422d48b67c3958f2f9429ff04ef27e0c1bf82ca1d
d302ca49fbe8a59c391e8de2ba44683dbff2e9b97fd136b9dea96f4354defb62
6dd41bfc65feff17a243f97340729b3472f519c1029127c5e9fee03bafcde338
6f4fbb8059780db756519fae97b7f00148f1df2b96ddaf9752d9409d45c1a37e
4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf
e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7
cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651
e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51
45434befb4ed9537e306b346f7ca303e5c01f0c288378695278c8c2dd82e626a
94c1b83e9181e597748af34aa30324fa001324bd12d33b12aa01e2a05ba779d6
ca8b01154f69d84a04afd66dab43bf9a7ace3c5d097d64ff401045fb6cc65dbb
e58ff0b93e922520fa6f1c67196e5fbc7fa1c2c95db7ba4b77a2345de88151a8
bad53d6e667f724563d9b42141bbcf279299b67c03db091c325e8e5597474f76
4a3a25ec628702692e852048f22f3254bf976b8e71b0a71a7d789de8313ac349
d36a3bd128024ada9545b7c02d6fdce79e2a5e778cdfe328cf1b0c8b886a1050
5602833d8b536edfbf979eb740f3345c291a68fc11f868dca1bef92f722420fa
6a3139af3bd7a833719a3e1c95d92f86e924fbfd34389de1ef5c0202d1716a7c
4978a378806fd5d68c08ad4602f80d3f5f1f870cb072475bd32b7a8ca32a3d88
ef257e45ab2ef35a61db240928ea20173fb81a534fbc50a0ecd3667f76c9dc1e
2f8b625544a974b1d801bc2de338dca23abb89fd6d49b5b9bb8ad2dbbb7e41ba
b399f5d239807fe144ad8872b4111002ebc6bb79ea6faa417db37f5ff95100ee
f53d0f2f29ef10e16cd2d607a545c3523dfc9f4e0b04e0b4258740357c525253
be83e0b3f35f8c1c74fc219587b3fb7760ed49a611c5d060dfff4e5853df6c0c
b8c9775f98ecf9d5fc1c9710289f2ec6a843e9a374a34cf29c53e21471d4762b
f1c4f048a0b4996a97160ecfad75fcc84815261916a4357ddb83a78f5fb6d78d
c6ebddfc8508a9943f5f9aae5e7d4406cbadd60a6471fdaf54913e33bc6bc235

SH256 hash:

54892a2ad8bf464501e0f825a114b6519212c52586f18025fa7f7b5abb7df3a9

MD5 hash:

516b95a2508a195dcfd17a41016ccead

SHA1 hash:

e50a8ebffd689a4fd76a5aab73819b454ccd56f4

Link:

https://www.unpac.me/results/ab524c6b-dbcf-48e1-841d-134b7263f90d/

SH256 hash:

c6d32fe528986102d7f123ded295c331c85159fc60e4f420bfc45b0376fbd99f

MD5 hash:

105e424f92930b80313ad17ea45c0046

SHA1 hash:

e212e0619004645dda5f9e38fec88b9064893eaa

Link:

https://www.unpac.me/results/ab524c6b-dbcf-48e1-841d-134b7263f90d/

SH256 hash:

25b5214317428b6661d063585c9de0ceb173e0cbf529069873599ac09f179ae9

MD5 hash:

a09ba49a164d02715cea9498b85dadb3

SHA1 hash:

5cb0c737d9fb738c36ca64082b53cd2d816b6e8b

Link:

https://www.unpac.me/results/ab524c6b-dbcf-48e1-841d-134b7263f90d/

Parent samples :

6379fc2cce3608db3ed95f85abf8e7391890b839c151224cca1dfc64c545b4d1
655a38b1686aa4f75f6dd4f2b59c8e9e09cde9997b46bafbe4e3dee38d859c99

SH256 hash:

cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651

MD5 hash:

ff3aea929347d0168b02de5d2c2bcec3

SHA1 hash:

fd7eaa628f424fc1384bcbd926a551c8e60740db

Link:

https://www.unpac.me/results/ab524c6b-dbcf-48e1-841d-134b7263f90d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample